stable-bot: Bugfixes waiting for a release 2.1 (12), 2.0 (11)
Hi, This is a friendly bot that watches fixes pending for the next haproxy-stable release! One such e-mail is sent periodically once patches are waiting in the last maintenance branch, and an ideal release date is computed based on the severity of these fixes and their merge date. Responses to this mail must be sent to the mailing list. Last release 2.1.10 was issued on 2020-11-05. There are currently 12 patches in the queue cut down this way: - 2 MAJOR, first one merged on 2020-11-13 - 2 MEDIUM, first one merged on 2020-11-13 - 8 MINOR, first one merged on 2020-11-06 Thus the computed ideal release date for 2.1.11 would be 2020-12-11, which is in one week or less. Last release 2.0.19 was issued on 2020-11-06. There are currently 11 patches in the queue cut down this way: - 2 MAJOR, first one merged on 2020-11-13 - 2 MEDIUM, first one merged on 2020-11-13 - 7 MINOR, first one merged on 2020-11-13 Thus the computed ideal release date for 2.0.20 would be 2020-12-11, which is in one week or less. The current list of patches in the queue is: - 2.0, 2.1 - MAJOR : spoe: Be sure to remove all references on a released spoe applet - 2.0, 2.1 - MAJOR : filters: Always keep all offsets up to date during data filtering - 2.0, 2.1 - MEDIUM : peers: fix decoding of multi-byte length in stick-table messages - 2.0, 2.1 - MEDIUM : filters: Forward all filtered data at the end of http filtering - 2.0, 2.1 - MINOR : http-ana: Don't wait for the body of CONNECT requests - 2.1 - MINOR : http-htx: Just warn if payload of an errorfile doesn't match the C-L - 2.0, 2.1 - MINOR : lua: set buffer size during map lookups - 2.0, 2.1 - MINOR : pattern: a sample marked as const could be written - 2.0, 2.1 - MINOR : peers: Do not ignore a protocol error for dictionary entries. - 2.0, 2.1 - MINOR : http-fetch: Extract cookie value even when no cookie name - 2.0, 2.1 - MINOR : http-fetch: Fix calls w/o parentheses of the cookie sample fetches - 2.0, 2.1 - MINOR : peers: Missing TX cache entries reset. -- The haproxy stable-bot is freely provided by HAProxy Technologies to help improve the quality of each HAProxy release. If you have any issue with these emails or if you want to suggest some improvements, please post them on the list so that the solutions suiting the most users can be found.
Re: contrib/spoa/python: A few doc typo and bug fixes
No issue with backporting to 2.0. I just mentioned 2.2 as it's the last. Thanks. Gilchrist On Tue, Dec 8, 2020, 16:01 Christopher Faulet wrote: > Le 08/12/2020 à 15:37, Gilchrist Dadaglo a écrit : > > Hi Team, > > Please find here-after a few patches for SPOA python module; mainly > memory related and a > > couple documentation rewrites. I put them under test for a few months > now and no additional issue to report so far. > > Could you please help merge them to master? > > Any chance they can be backorted to 2.2 (LTS)? > > > > Thanks ! I will handle it. Any reason to not backport these patches as far > as 2.0 ? > > -- > Christopher Faulet >
Re: dynamic ssl certificate updates with changed intermediate
Hi William, On 08.12.20 15:13, William Lallemand wrote:> I then updated the certificate this way: > > $ echo -e -n "@1 set ssl cert server1.fullchain.pem <<\n$(cat > server2.fullchain.pem)\n\n" | socat - /tmp/master.socket > Transaction created for certificate server1.fullchain.pem! > > $ echo "@1 commit ssl cert server1.fullchain.pem" | socat - > /tmp/master.socket > Committing server1.fullchain.pem. > Success! > > And checked that the certificate is correctly updated: true, what fail though is the dynamic ocsp-response update after that, sorry for the unprecise problem description before. This happens after a dynamic cert update that *includes* an intermediate cert update if you then also try make a dynamic ocsp-response update: # echo "set ssl ocsp-response $(base64 -w 1 ${DIRNAME}/ocsp.der)" | socat ... OCSP single response: Certificate ID does not match any certificate or issuer. Björn
Re: contrib/spoa/python: A few doc typo and bug fixes
Le 08/12/2020 à 15:37, Gilchrist Dadaglo a écrit : Hi Team, Please find here-after a few patches for SPOA python module; mainly memory related and a couple documentation rewrites. I put them under test for a few months now and no additional issue to report so far. Could you please help merge them to master? Any chance they can be backorted to 2.2 (LTS)? Thanks ! I will handle it. Any reason to not backport these patches as far as 2.0 ? -- Christopher Faulet
Re: Crash when using wlc in multithreaded mode with agent checks (1.8.26).
Le 04/12/2020 à 21:24, Peter Statham a écrit : I might have spoken too soon. The latest release of 1.8 works flawlessly on my debian desktop but still crashes when I attempt the same configuration on a CentOS virtual machine on our VMWare cluster. I'm not sure if this is down to differences in the way memory fencing or thread scheduling work on these platforms or if it is a library/compiler issue. Backporting the LBPRM spinlocks from 1.9's src/lb_fwlc.c seems to help but I will continue investigating and hopefully rule out some of the other possibilities. Hum, not good. Peter, it is the same crash or not ? I didn't checked very deeply, but I guess you backported th e commit 1b87748ff5 ("BUG/MEDIUM: lb/threads: always properly lock LB algorithms on maintenance operations"). A comment in the commit message says it may be required on the 1.8 if some bugs surface in this area. However I'm surprised because locked functions are called for the rendez-vous point. It means all threads are blocked at the same point waiting the updates on servers are performed. -- Christopher Faulet
[PATCH 8/8] BUG/MEDIUM: spoa/python: Fixing references to None
As per https://docs.python.org/3/c-api/none.html, None has to be treated exactly like other objects for reference counting. So, when we use it, we need to INCREF and when we are done, DECREF --- contrib/spoa_server/ps_python.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/spoa_server/ps_python.c b/contrib/spoa_server/ps_python.c index 20861d6..04b21f1 100644 --- a/contrib/spoa_server/ps_python.c +++ b/contrib/spoa_server/ps_python.c @@ -634,6 +634,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct switch (args[i].value.type) { case SPOE_DATA_T_NULL: + Py_INCREF(Py_None); value = Py_None; break; case SPOE_DATA_T_BOOL: @@ -722,6 +723,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct value = PY_BYTES_FROM_STRING_AND_SIZE(args[i].value.u.buffer.str, args[i].value.u.buffer.len); break; default: + Py_INCREF(Py_None); value = Py_None; break; } @@ -786,9 +788,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct PyErr_Print(); return 0; } - if (result != Py_None) { - Py_DECREF(result); - } + Py_DECREF(result); return 1; } -- 2.23.3
[PATCH 4/8] DOC/MINOR: spoa/python: Fixing typos in comments
Fixing a missing letter in a comment --- contrib/spoa_server/ps_python.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/spoa_server/ps_python.c b/contrib/spoa_server/ps_python.c index 380d5b3..fbaa414 100644 --- a/contrib/spoa_server/ps_python.c +++ b/contrib/spoa_server/ps_python.c @@ -591,7 +591,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct return 0; } - /* Create th value entry */ + /* Create the value entry */ key = PY_STRING_FROM_STRING("value"); if (key == NULL) { -- 2.23.3
[PATCH 2/8] DOC/MINOR: spoa/python: Fixing typo in IP related error messages
This commit fixes typos in the ps_python_set_var_ip* byte manipulation error messages --- contrib/spoa_server/ps_python.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/spoa_server/ps_python.c b/contrib/spoa_server/ps_python.c index 81bb932..ec97f30 100644 --- a/contrib/spoa_server/ps_python.c +++ b/contrib/spoa_server/ps_python.c @@ -236,7 +236,7 @@ static PyObject *ps_python_set_var_ipv4(PyObject *self, PyObject *args) if (value == NULL) return NULL; if (PY_STRING_GET_SIZE(value) != sizeof(ip)) { - PyErr_Format(spoa_error, "UPv6 manipulation internal error"); + PyErr_Format(spoa_error, "IPv4 manipulation internal error"); return NULL; } memcpy(&ip, PY_STRING_AS_STRING(value), PY_STRING_GET_SIZE(value)); @@ -273,7 +273,7 @@ static PyObject *ps_python_set_var_ipv6(PyObject *self, PyObject *args) if (value == NULL) return NULL; if (PY_STRING_GET_SIZE(value) != sizeof(ip)) { - PyErr_Format(spoa_error, "UPv6 manipulation internal error"); + PyErr_Format(spoa_error, "IPv6 manipulation internal error"); return NULL; } memcpy(&ip, PY_STRING_AS_STRING(value), PY_STRING_GET_SIZE(value)); -- 2.23.3
[PATCH 6/8] BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails
This change is to ensure objects from the ipaddress module are cleaned up when spoa module initialization fails. In general the interpreter would just crash, but in a code where import is conditional (try/except), then we would keep those objects around --- contrib/spoa_server/ps_python.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/contrib/spoa_server/ps_python.c b/contrib/spoa_server/ps_python.c index 12953f3..f2ddc16 100644 --- a/contrib/spoa_server/ps_python.c +++ b/contrib/spoa_server/ps_python.c @@ -410,18 +410,24 @@ static int ps_python_start_worker(struct worker *w) ipv4_address = PyObject_GetAttrString(module_ipaddress, "IPv4Address"); if (ipv4_address == NULL) { + Py_DECREF(module_ipaddress); PyErr_Print(); return 0; } ipv6_address = PyObject_GetAttrString(module_ipaddress, "IPv6Address"); if (ipv6_address == NULL) { + Py_DECREF(ipv4_address); + Py_DECREF(module_ipaddress); PyErr_Print(); return 0; } PY_INIT_MODULE(m, "spoa", spoa_methods, &spoa_module_definition); if (m == NULL) { + Py_DECREF(ipv4_address); + Py_DECREF(ipv6_address); + Py_DECREF(module_ipaddress); PyErr_Print(); return 0; } -- 2.23.3
[PATCH 7/8] BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments
As per https://docs.python.org/3/c-api/object.html#c.PyObject_Call, positional arguments should be an empty tuple when not used. Previously the code had a dictionary instead of tuple. This commit is to fix it and use tuple to avoid unexpected consequences --- contrib/spoa_server/ps_python.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/contrib/spoa_server/ps_python.c b/contrib/spoa_server/ps_python.c index f2ddc16..20861d6 100644 --- a/contrib/spoa_server/ps_python.c +++ b/contrib/spoa_server/ps_python.c @@ -43,7 +43,7 @@ static PyObject *module_ipaddress; static PyObject *ipv4_address; static PyObject *ipv6_address; static PyObject *spoa_error; -static PyObject *empty_array; +static PyObject *empty_tuple; static struct worker *worker; static int ps_python_start_worker(struct worker *w); @@ -522,8 +522,8 @@ static int ps_python_start_worker(struct worker *w) return 0; } - empty_array = PyDict_New(); - if (empty_array == NULL) { + empty_tuple = PyTuple_New(0); + if (empty_tuple == NULL) { PyErr_Print(); return 0; } @@ -710,7 +710,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct PyErr_Print(); return 0; } - value = PyObject_Call(func, empty_array, ip_dict); + value = PyObject_Call(func, empty_tuple, ip_dict); Py_DECREF(func); Py_DECREF(ip_dict); break; @@ -780,7 +780,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct return 0; } - result = PyObject_Call(python_ref, empty_array, fkw); + result = PyObject_Call(python_ref, empty_tuple, fkw); Py_DECREF(fkw); if (result == NULL) { PyErr_Print(); -- 2.23.3
[PATCH 3/8] DOC/MINOR: spoa/python: Rephrasing memory related error messages
The old message "No more space left available" was redundant with "left available". This commit is to rephrase that sentence and make it more explicit we are talking about memory --- contrib/spoa_server/ps_python.c | 20 ++-- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/contrib/spoa_server/ps_python.c b/contrib/spoa_server/ps_python.c index ec97f30..380d5b3 100644 --- a/contrib/spoa_server/ps_python.c +++ b/contrib/spoa_server/ps_python.c @@ -106,7 +106,7 @@ static PyObject *ps_python_set_var_null(PyObject *self, PyObject *args) if (name_len_i == -1) return NULL; if (!set_var_null(worker, name, name_len_i, scope)) { - PyErr_SetString(spoa_error, "No space left available"); + PyErr_SetString(spoa_error, "No more memory space available"); return NULL; } Py_RETURN_NONE; @@ -126,7 +126,7 @@ static PyObject *ps_python_set_var_boolean(PyObject *self, PyObject *args) if (name_len_i == -1) return NULL; if (!set_var_bool(worker, name, name_len_i, scope, value)) { - PyErr_SetString(spoa_error, "No space left available"); + PyErr_SetString(spoa_error, "No more memory space available"); return NULL; } Py_RETURN_NONE; @@ -146,7 +146,7 @@ static PyObject *ps_python_set_var_int32(PyObject *self, PyObject *args) if (name_len_i == -1) return NULL; if (!set_var_int32(worker, name, name_len_i, scope, value)) { - PyErr_SetString(spoa_error, "No space left available"); + PyErr_SetString(spoa_error, "No more memory space available"); return NULL; } Py_RETURN_NONE; @@ -166,7 +166,7 @@ static PyObject *ps_python_set_var_uint32(PyObject *self, PyObject *args) if (name_len_i == -1) return NULL; if (!set_var_uint32(worker, name, name_len_i, scope, value)) { - PyErr_SetString(spoa_error, "No space left available"); + PyErr_SetString(spoa_error, "No more memory space available"); return NULL; } Py_RETURN_NONE; @@ -186,7 +186,7 @@ static PyObject *ps_python_set_var_int64(PyObject *self, PyObject *args) if (name_len_i == -1) return NULL; if (!set_var_int64(worker, name, name_len_i, scope, value)) { - PyErr_SetString(spoa_error, "No space left available"); + PyErr_SetString(spoa_error, "No more memory space available"); return NULL; } Py_RETURN_NONE; @@ -206,7 +206,7 @@ static PyObject *ps_python_set_var_uint64(PyObject *self, PyObject *args) if (name_len_i == -1) return NULL; if (!set_var_uint64(worker, name, name_len_i, scope, value)) { - PyErr_SetString(spoa_error, "No space left available"); + PyErr_SetString(spoa_error, "No more memory space available"); return NULL; } Py_RETURN_NONE; @@ -241,7 +241,7 @@ static PyObject *ps_python_set_var_ipv4(PyObject *self, PyObject *args) } memcpy(&ip, PY_STRING_AS_STRING(value), PY_STRING_GET_SIZE(value)); if (!set_var_ipv4(worker, name, name_len_i, scope, &ip)) { - PyErr_SetString(spoa_error, "No space left available"); + PyErr_SetString(spoa_error, "No more memory space available"); return NULL; } /* Once we set the IP value in the worker, we don't need it anymore... */ @@ -278,7 +278,7 @@ static PyObject *ps_python_set_var_ipv6(PyObject *self, PyObject *args) } memcpy(&ip, PY_STRING_AS_STRING(value), PY_STRING_GET_SIZE(value)); if (!set_var_ipv6(worker, name, name_len_i, scope, &ip)) { - PyErr_SetString(spoa_error, "No space left available"); + PyErr_SetString(spoa_error, "No more memory space available"); return NULL; } /* Once we set the IP value in the worker, we don't need it anymore... */ @@ -303,7 +303,7 @@ static PyObject *ps_python_set_var_str(PyObject *self, PyObject *args) if (name_len_i == -1 || value_len_i == -1) return NULL; if (!set_var_string(worker, name, name_len_i, scope, value, value_len_i)) { - PyErr_SetString(spoa_error, "No space left available"); + PyErr_SetString(spoa_error, "No more memory space available"); return NULL; } Py_RETURN_NONE; @@ -326,7 +326,7 @@ static PyObject *ps_python_set_var_bin(PyObject *self, PyObject *args) if (name_len_i == -1 || value_len_i == -1) return NULL; if (!set_var_bin(worker, name, name_len_i, scope, value, value_len_i)) { - PyErr_SetString(spoa_error, "No space left available"); + PyErr_SetString(spoa_error, "No more memory space av
[PATCH 5/8] BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations
As per https://docs.python.org/3/c-api/module.html#c.PyModule_AddObject, references are stolen by the function only for success. We must do cleanup manually if there is a failure --- contrib/spoa_server/ps_python.c | 27 ++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/contrib/spoa_server/ps_python.c b/contrib/spoa_server/ps_python.c index fbaa414..12953f3 100644 --- a/contrib/spoa_server/ps_python.c +++ b/contrib/spoa_server/ps_python.c @@ -427,8 +427,19 @@ static int ps_python_start_worker(struct worker *w) } spoa_error = PyErr_NewException("spoa.error", NULL, NULL); +/* PyModule_AddObject will steal the reference to spoa_error +* in case of success only +* We need to increment the counters to continue using it +* but cleanup in case of failure +*/ Py_INCREF(spoa_error); - PyModule_AddObject(m, "error", spoa_error); + ret = PyModule_AddObject(m, "error", spoa_error); + if (ret == -1) { + Py_DECREF(m); + Py_DECREF(spoa_error); + PyErr_Print(); + return 0; + } value = PyLong_FromLong(SPOE_SCOPE_PROC); @@ -439,54 +450,68 @@ static int ps_python_start_worker(struct worker *w) ret = PyModule_AddObject(m, "scope_proc", value); if (ret == -1) { + Py_DECREF(m); + Py_DECREF(value); PyErr_Print(); return 0; } value = PyLong_FromLong(SPOE_SCOPE_SESS); if (value == NULL) { + Py_DECREF(m); PyErr_Print(); return 0; } ret = PyModule_AddObject(m, "scope_sess", value); if (ret == -1) { + Py_DECREF(m); + Py_DECREF(value); PyErr_Print(); return 0; } value = PyLong_FromLong(SPOE_SCOPE_TXN); if (value == NULL) { + Py_DECREF(m); PyErr_Print(); return 0; } ret = PyModule_AddObject(m, "scope_txn", value); if (ret == -1) { + Py_DECREF(m); + Py_DECREF(value); PyErr_Print(); return 0; } value = PyLong_FromLong(SPOE_SCOPE_REQ); if (value == NULL) { + Py_DECREF(m); PyErr_Print(); return 0; } ret = PyModule_AddObject(m, "scope_req", value); if (ret == -1) { + Py_DECREF(m); + Py_DECREF(value); PyErr_Print(); return 0; } value = PyLong_FromLong(SPOE_SCOPE_RES); if (value == NULL) { + Py_DECREF(m); PyErr_Print(); return 0; } ret = PyModule_AddObject(m, "scope_res", value); if (ret == -1) { + Py_DECREF(m); + Py_DECREF(value); PyErr_Print(); return 0; } -- 2.23.3
[PATCH 1/8] BUG/MAJOR: spoa/python: Fixing return None
As per https://docs.python.org/3/c-api/none.html, None requires to be incremented before being returned to prevent deallocating none --- contrib/spoa_server/ps_python.c | 22 +++--- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/contrib/spoa_server/ps_python.c b/contrib/spoa_server/ps_python.c index 5cb7ca8..81bb932 100644 --- a/contrib/spoa_server/ps_python.c +++ b/contrib/spoa_server/ps_python.c @@ -90,7 +90,7 @@ static PyObject *ps_python_register_message(PyObject *self, PyObject *args) ps_register_message(&ps_python_bindings, name, (void *)ref); - return Py_None; + Py_RETURN_NONE; } static PyObject *ps_python_set_var_null(PyObject *self, PyObject *args) @@ -109,7 +109,7 @@ static PyObject *ps_python_set_var_null(PyObject *self, PyObject *args) PyErr_SetString(spoa_error, "No space left available"); return NULL; } - return Py_None; + Py_RETURN_NONE; } static PyObject *ps_python_set_var_boolean(PyObject *self, PyObject *args) @@ -129,7 +129,7 @@ static PyObject *ps_python_set_var_boolean(PyObject *self, PyObject *args) PyErr_SetString(spoa_error, "No space left available"); return NULL; } - return Py_None; + Py_RETURN_NONE; } static PyObject *ps_python_set_var_int32(PyObject *self, PyObject *args) @@ -149,7 +149,7 @@ static PyObject *ps_python_set_var_int32(PyObject *self, PyObject *args) PyErr_SetString(spoa_error, "No space left available"); return NULL; } - return Py_None; + Py_RETURN_NONE; } static PyObject *ps_python_set_var_uint32(PyObject *self, PyObject *args) @@ -169,7 +169,7 @@ static PyObject *ps_python_set_var_uint32(PyObject *self, PyObject *args) PyErr_SetString(spoa_error, "No space left available"); return NULL; } - return Py_None; + Py_RETURN_NONE; } static PyObject *ps_python_set_var_int64(PyObject *self, PyObject *args) @@ -189,7 +189,7 @@ static PyObject *ps_python_set_var_int64(PyObject *self, PyObject *args) PyErr_SetString(spoa_error, "No space left available"); return NULL; } - return Py_None; + Py_RETURN_NONE; } static PyObject *ps_python_set_var_uint64(PyObject *self, PyObject *args) @@ -209,7 +209,7 @@ static PyObject *ps_python_set_var_uint64(PyObject *self, PyObject *args) PyErr_SetString(spoa_error, "No space left available"); return NULL; } - return Py_None; + Py_RETURN_NONE; } static PyObject *ps_python_set_var_ipv4(PyObject *self, PyObject *args) @@ -246,7 +246,7 @@ static PyObject *ps_python_set_var_ipv4(PyObject *self, PyObject *args) } /* Once we set the IP value in the worker, we don't need it anymore... */ Py_XDECREF(value); - return Py_None; + Py_RETURN_NONE; } static PyObject *ps_python_set_var_ipv6(PyObject *self, PyObject *args) @@ -283,7 +283,7 @@ static PyObject *ps_python_set_var_ipv6(PyObject *self, PyObject *args) } /* Once we set the IP value in the worker, we don't need it anymore... */ Py_XDECREF(value); - return Py_None; + Py_RETURN_NONE; } static PyObject *ps_python_set_var_str(PyObject *self, PyObject *args) @@ -306,7 +306,7 @@ static PyObject *ps_python_set_var_str(PyObject *self, PyObject *args) PyErr_SetString(spoa_error, "No space left available"); return NULL; } - return Py_None; + Py_RETURN_NONE; } static PyObject *ps_python_set_var_bin(PyObject *self, PyObject *args) @@ -329,7 +329,7 @@ static PyObject *ps_python_set_var_bin(PyObject *self, PyObject *args) PyErr_SetString(spoa_error, "No space left available"); return NULL; } - return Py_None; + Py_RETURN_NONE; } -- 2.23.3
contrib/spoa/python: A few doc typo and bug fixes
Hi Team, Please find here-after a few patches for SPOA python module; mainly memory related and a couple documentation rewrites. I put them under test for a few months now and no additional issue to report so far. Could you please help merge them to master? Any chance they can be backorted to 2.2 (LTS)? Thanks Gilchrist
Re: dynamic ssl certificate updates with changed intermediate
On Tue, Dec 08, 2020 at 11:48:41AM +0100, William Lallemand wrote: > On Sat, Dec 05, 2020 at 02:57:03AM +0100, Björn Jacke wrote: > > Hi, > > > > I ran into an issue with haproxy 2.2.6, where I'm not sure if this is > > working as intended or not. I have a frontend, which has a ssl cert > > configured in a combined pam file, containing the private, public and > > intermediate certificate. The bind line looks like this: > > > > bind 203.0.113.1 ssl crt /certs/host.example.org/combined.pem.rsa ... > > > > If I renew the certificate, it works as also shown in > > > > https://www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/ > > > > via > > > > echo "set ssl cert ${DIRNAME}/combined.pem.rsa" | socat ... > > > > Everything worked fine since quite a while ... > > > > until now the issuing intermediate certificate changed. I would expect > > that above mentioned "set ssl cert combined.pem.rsa" would also update > > the intermediate certificate - but the *previous* intermediate is still > > being used by haproxy. I noticed this actually only because the "set ssl > > ocsp-response" returned "Certificate ID does not match any certificate > > or issuer". It took me quite a while to spot that the intermediate was > > not updated. > > > > So the final question is, is this a bug or is the intermediate not > > supposed to be updated along with the combined.pem but differently? A > > reload or restart of haproxy will activate the new intermediate > > certificate of course. > > > > Looks like a bug to me, the intermediate certificate is indeed supposed > to be updated, I'll look into this. > I made some tests and I can't reproduce the issue, could you check with the CLI that the intermediate changed with "show ssl cert" This is the test I made: 1 Root CA, 2 Intermediates, 2 server certificates made with each intermediates. cat server1.key server1.crt intermediateCA1.crt > server1.fullchain.pem cat server1.key server1.crt intermediateCA1.crt > server2.fullchain.pem $ echo "@1 show ssl cert server1.fullchain.pem" | socat - /tmp/master.socket Filename: server1.fullchain.pem Status: Used Serial: 19018ED789D84428F15631EEDD946E254D3F notBefore: Dec 8 13:30:47 2020 GMT notAfter: Sep 4 13:30:47 2023 GMT Subject Alternative Name: Algorithm: RSA2048 SHA1 FingerPrint: 74BB48E0F47B89AEE68A8173774B446775CDA0A3 Subject: /C=AU/ST=Some-State/O=Foobar Server1/CN=server1.foobar.local Issuer: /C=AU/ST=Some-State/O=Foobar Int/CN=int1.foobar.local Chain Subject: /C=AU/ST=Some-State/O=Foobar Int/CN=int1.foobar.local Chain Issuer: /C=AU/ST=Some-State/O=Foobar ROOT/CN=root.foobar.local I then updated the certificate this way: $ echo -e -n "@1 set ssl cert server1.fullchain.pem <<\n$(cat server2.fullchain.pem)\n\n" | socat - /tmp/master.socket Transaction created for certificate server1.fullchain.pem! $ echo "@1 commit ssl cert server1.fullchain.pem" | socat - /tmp/master.socket Committing server1.fullchain.pem. Success! And checked that the certificate is correctly updated: $ echo "@1 show ssl cert server1.fullchain.pem" | socat - /tmp/master.socket Filename: server1.fullchain.pem Status: Used Serial: 0808AAE72CD605D64FE5FEACA9FC8B3BA33F69E2 notBefore: Dec 8 13:33:26 2020 GMT notAfter: Sep 4 13:33:26 2023 GMT Subject Alternative Name: Algorithm: RSA2048 SHA1 FingerPrint: E60B288CE48BDAEE9A234DCE16DF0A05E4C4E1BE Subject: /C=AU/ST=Some-State/O=Foobar Server2/CN=server2.foobar.local Issuer: /C=AU/ST=Some-State/O=Foobar Int2/CN=int2.foobar.local Chain Subject: /C=AU/ST=Some-State/O=Foobar Int2/CN=int2.foobar.local Chain Issuer: /C=AU/ST=Some-State/O=Foobar ROOT/CN=root.foobar.local You can see at the end of the output that the certificate and the chain was updated. You can also check the chain returned by haproxy with `openssl s_client -showcerts -connect localhost:8443 -servername server2.foobar.local` Regards, -- William Lallemand
Re: dynamic ssl certificate updates with changed intermediate
On Sat, Dec 05, 2020 at 02:57:03AM +0100, Björn Jacke wrote: > Hi, > > I ran into an issue with haproxy 2.2.6, where I'm not sure if this is > working as intended or not. I have a frontend, which has a ssl cert > configured in a combined pam file, containing the private, public and > intermediate certificate. The bind line looks like this: > > bind 203.0.113.1 ssl crt /certs/host.example.org/combined.pem.rsa ... > > If I renew the certificate, it works as also shown in > > https://www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/ > > via > > echo "set ssl cert ${DIRNAME}/combined.pem.rsa" | socat ... > > Everything worked fine since quite a while ... > > until now the issuing intermediate certificate changed. I would expect > that above mentioned "set ssl cert combined.pem.rsa" would also update > the intermediate certificate - but the *previous* intermediate is still > being used by haproxy. I noticed this actually only because the "set ssl > ocsp-response" returned "Certificate ID does not match any certificate > or issuer". It took me quite a while to spot that the intermediate was > not updated. > > So the final question is, is this a bug or is the intermediate not > supposed to be updated along with the combined.pem but differently? A > reload or restart of haproxy will activate the new intermediate > certificate of course. > Looks like a bug to me, the intermediate certificate is indeed supposed to be updated, I'll look into this. -- William Lallemand
Re: do we want to keep CentOS 6 builds?
I played with various options. while things work well on my personal centos 6 vm, they still do not work on cirrus https://github.com/chipitsine/haproxy/blob/master/.cirrus.yml#L21-L22 (we cannot use yum-config-manager --add-repo=..., because yum-config-manager is not installed) build: https://cirrus-ci.com/task/4596651333517312 any ideas what to try ? чт, 3 дек. 2020 г. в 10:48, Илья Шипицин : > I'll check on weekend whether we can switch to vault repo > > чт, 3 дек. 2020 г. в 02:48, Willy Tarreau : > >> On Wed, Dec 02, 2020 at 10:29:03PM +0100, Adis Nezirovic wrote: >> > On 12/2/20 9:45 PM, Willy Tarreau wrote: >> > > On Wed, Dec 02, 2020 at 10:19:47PM +0500, ??? wrote: >> > > > seems, CentOS 6 packages were removed from mirrors >> > > > >> > > > https://cirrus-ci.com/task/5915513668763648 >> > > >> > > I've never understood why some distros do something that stupid. They >> > > even prevent some people from setting up a backup server in emergency. >> > > >> > > So does this mean we'll drop this one ? >> > >> > For what it's worth, after EOL, data is moved to CentOS vault: >> > >> > https://vault.centos.org/6.10/ >> >> Thanks Adis. Not sure what this implies for setup scripts, but >> it's good to know. >> >> Willy >> >
Bid Writing, Major Donors and Volunteering Workshops
NFP WORKSHOPS 18 Blake Street, York YO1 8QG 01133 280988 Affordable Training Courses for Charities, Schools & Public Sector Organisations This email has been sent to haproxy@formilux.org CLICK TO UNSUBSCRIBE FROM LIST Alternatively send a blank e-mail to unsubscr...@nfpmail2001.co.uk quoting haproxy@formilux.org in the subject line. Unsubscribe requests will take effect within seven days. Bid Writing: The Basics Online via ZOOM COST £95 TOPICS COVERED Do you know the most common reasons for rejection? Are you gathering the right evidence? Are you making the right arguments? Are you using the right terminology? Are your numbers right? Are you learning from rejections? Are you assembling the right documents? Do you know how to create a clear and concise standard funding bid? Are you communicating with people or just excluding them? Do you know your own organisation well enough? Are you thinking through your projects carefully enough? Do you know enough about your competitors? Are you answering the questions funders will ask themselves about your application? Are you submitting applications correctly? PARTICIPANTS Staff members, volunteers, trustees or board members of charities, schools, not for profits or public sector organisations who intend to submit grant funding applications to charitable grant making trusts and foundations. People who provide advice to these organisations are also welcome. Bid Writing: Advanced Online via ZOOM COST £95 TOPICS COVERED Are you applying to the right trusts? Are you applying to enough trusts? Are you asking for the right amount of money? Are you applying in the right ways? Are your projects the most fundable projects? Are you carrying out trust fundraising in a professional way? Are you delegating enough work? Are you highly productive or just very busy? Are you looking for trusts in all the right places? How do you compare with your competitors for funding? Is the rest of your fundraising hampering your bids to trusts? Do you understand what trusts are ideally looking for? PARTICIPANTS Staff members, volunteers, trustees or board members of charities, schools, not for profits or public sector organisations who intend to submit grant funding applications to charitable grant making trusts and foundations. People who provide advice to these organisations are also welcome. Dates & Booking Links BID WRITING: THE BASICS Mon 07 Dec 2020 10.00 to 12.30Booking Link Mon 21 Dec 2020 10.00 to 12.30Booking Link Mon 11 Jan 2020 10.00 to 12.30Booking Link Mon 25 Jan 2020 10.00 to 12.30Booking Link Mon 08 Feb 2020 10.00 to 12.30Booking Link Mon 22 Feb 2020 10.00 to 12.30Booking Link BID WRITING: ADVANCED Tue 08 Dec 2020 10.00 to 12.30Booking Link Tue 22 Dec 2020 10.00 to 12.30Booking Link Tue 12 Jan 2020 10.00 to 12.30Booking Link Tue 26 Jan 2020 10.00 to 12.30Booking Link Tue 09 Feb 2020 10.00 to 12.30Booking Link Tue 23 Feb 2020 10.00 to 12.30Booking Link Recruiting and Managing Volunteers Online via ZOOM COST £195 TOPICS COVERED Where do you find volunteers? How do you find the right volunteers? How do you attract volunteers? How do you run volunteer recruitment events? How do you interview volunteers? How do you train volunteers? How do you motivate volunteers? How do you involve volunteers? How do you recognise volunteer? How do you recognise problems with volunteers? How do you learn from volunteer problems? How do you retain volunteers? How do you manage volunteers? What about volunteers and your own staff? What about younger, older and employee volunteers? PARTICIPANTS Staff members, volunteers, trustees or board members of charities, schools, not for profits or public sector organisations who intend to recruit volunteers into their organisation and then manage those volunteers. People who provide advice to these organisations are also welcome. Dates & Booking Links RECRUITING AND MANAGING VOLUNTEERS Wed 09 Dec 2020 10.00 to 16.00Booking Link Wed 13 Jan 2021 10.00 to 16.00Booking Link Wed 10 Mar 2021 10.00 to 16.00Booking Link Major Donor Fundraising Online via ZOOM COST £95 TOPICS COVERED Major Donor Characteristics, Motivations and Requirements. Researching and Screening Major Donors. Encouraging, Involving and Retaining Major Donors. Building Relationships with Major Donors. Major Donor Events and Activities. Setting Up Major Donor Clubs.Asking For Major Gifts. Looking After and Reporting Back to Major Donors. Delivering on Major Donor Expectations. Showing Your Appreciation to Major Donors. Fundraising Budgets and Committees. PARTICIPANTS Staff members, volunteers, trustees or board members of charities, schools, not for profits or public sector organisations who intend to carry out Major Donor Fundraising. People who provide advice to these organisations are also welcome. Dates & Booking Links MAJOR DONOR FUNDRAISING Thu 10 Dec 2020 10.00 to 12.30Booking Link Wed 10 F