Re: [PATCH 2/2] DOC: crt: advise to move away from cert bundle
On Tue, Sep 29, 2020 at 11:26:21AM +0200, Willy Tarreau wrote: > On Mon, Sep 28, 2020 at 02:31:18PM +0200, William Lallemand wrote: > > > diff --git a/doc/management.txt b/doc/management.txt > > > index adbad95d3..42e8ddbca 100644 > > > --- a/doc/management.txt > > > +++ b/doc/management.txt > > > @@ -1725,6 +1725,10 @@ new ssl cert > > >Create a new empty SSL certificate store to be filled with a > > > certificate and > > >added to a directory or a crt-list. This command should be used in > > >combination with "set ssl cert" and "add ssl crt-list". > > > + Note that bundle certificates are not supported; it is recommended to > > > use > > > + `ssl-load-extra-file none` in global config to avoid loading > > > certificates as > > > + bundle and then mixing with single certificates in the runtime API. > > > This will > > > + avoid confusion, especailly when it comes to the `commit` command. > > > > > > prompt > > >Toggle the prompt at the beginning of the line and enter or leave > > > interactive > > > > > > > > I don't think that's the good approach for 2.3, I replied on the github > > issue: https://github.com/haproxy/haproxy/issues/872 > > I already picked that doc patch the day before, should we revert it then, > or just part of it maybe ? > I saw that, don't revert it, I'm going to made some changes on top on it. Thanks, -- William Lallemand
Re: [PATCH 2/2] DOC: crt: advise to move away from cert bundle
On Mon, Sep 28, 2020 at 02:31:18PM +0200, William Lallemand wrote: > > diff --git a/doc/management.txt b/doc/management.txt > > index adbad95d3..42e8ddbca 100644 > > --- a/doc/management.txt > > +++ b/doc/management.txt > > @@ -1725,6 +1725,10 @@ new ssl cert > >Create a new empty SSL certificate store to be filled with a certificate > > and > >added to a directory or a crt-list. This command should be used in > >combination with "set ssl cert" and "add ssl crt-list". > > + Note that bundle certificates are not supported; it is recommended to use > > + `ssl-load-extra-file none` in global config to avoid loading > > certificates as > > + bundle and then mixing with single certificates in the runtime API. This > > will > > + avoid confusion, especailly when it comes to the `commit` command. > > > > prompt > >Toggle the prompt at the beginning of the line and enter or leave > > interactive > > > > I don't think that's the good approach for 2.3, I replied on the github > issue: https://github.com/haproxy/haproxy/issues/872 I already picked that doc patch the day before, should we revert it then, or just part of it maybe ? Willy
Re: [PATCH 2/2] DOC: crt: advise to move away from cert bundle
On Sat, Sep 26, 2020 at 01:35:52PM +0200, William Dauchy wrote: > especially when starting to use `new ssl cert` runtime API, it might > become a bit confusing for users to mix bundle and single cert, > especially when it comes to use the commit command: > e.g.: > - start the process with `crt` loading a bundle > - use `set ssl cert my_cert.pem.ecdsa`: API detects it as a replacement > of a bundle. > - `commit` has to be done on the bundle: `commit ssl cert my_cert.pem` > > however: > - add a new cert: `new ssl cert my_cert.pem.rsa`: added as a single > certificate > - `commit` has to be done on the certificate: `commit ssl cert > my_cert.pem.rsa` > > this should resolve github issue #872 > > this should probably be backported in >= v2.2 in order to encourage > people to move away from bundle certificates loading. > > Signed-off-by: William Dauchy > --- > doc/configuration.txt | 7 ++- > doc/management.txt| 4 > 2 files changed, 10 insertions(+), 1 deletion(-) > > diff --git a/doc/configuration.txt b/doc/configuration.txt > index 97ff2e499..87f35e984 100644 > --- a/doc/configuration.txt > +++ b/doc/configuration.txt > @@ -12560,10 +12560,15 @@ crt >connecting with "ecdsa.example.com" will only be able to use ECDSA cipher >suites. With BoringSSL and Openssl >= 1.1.1 multi-cert is natively > supported, >no need to bundle certificates. ECDSA certificate will be preferred if > client > - support it. > + supports it. > >If a directory name is given as the argument, haproxy will >automatically search and load bundled files in that directory. > + It is however recommended to move away from bundle loading, especially if > you > + want to use the runtime API to load new certificate which does not support > + bundle. A recommended way to migrate is to set `ssl-load-extra-file` > + parameter to `none` in global config so that each certificate is loaded as > a > + single one. > >OSCP files (.ocsp) and issuer files (.issuer) are supported with multi-cert >bundling. Each certificate can have its own .ocsp and .issuer file. At this > diff --git a/doc/management.txt b/doc/management.txt > index adbad95d3..42e8ddbca 100644 > --- a/doc/management.txt > +++ b/doc/management.txt > @@ -1725,6 +1725,10 @@ new ssl cert >Create a new empty SSL certificate store to be filled with a certificate > and >added to a directory or a crt-list. This command should be used in >combination with "set ssl cert" and "add ssl crt-list". > + Note that bundle certificates are not supported; it is recommended to use > + `ssl-load-extra-file none` in global config to avoid loading certificates > as > + bundle and then mixing with single certificates in the runtime API. This > will > + avoid confusion, especailly when it comes to the `commit` command. > > prompt >Toggle the prompt at the beginning of the line and enter or leave > interactive I don't think that's the good approach for 2.3, I replied on the github issue: https://github.com/haproxy/haproxy/issues/872 -- William Lallemand
[PATCH 2/2] DOC: crt: advise to move away from cert bundle
especially when starting to use `new ssl cert` runtime API, it might become a bit confusing for users to mix bundle and single cert, especially when it comes to use the commit command: e.g.: - start the process with `crt` loading a bundle - use `set ssl cert my_cert.pem.ecdsa`: API detects it as a replacement of a bundle. - `commit` has to be done on the bundle: `commit ssl cert my_cert.pem` however: - add a new cert: `new ssl cert my_cert.pem.rsa`: added as a single certificate - `commit` has to be done on the certificate: `commit ssl cert my_cert.pem.rsa` this should resolve github issue #872 this should probably be backported in >= v2.2 in order to encourage people to move away from bundle certificates loading. Signed-off-by: William Dauchy --- doc/configuration.txt | 7 ++- doc/management.txt| 4 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 97ff2e499..87f35e984 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -12560,10 +12560,15 @@ crt connecting with "ecdsa.example.com" will only be able to use ECDSA cipher suites. With BoringSSL and Openssl >= 1.1.1 multi-cert is natively supported, no need to bundle certificates. ECDSA certificate will be preferred if client - support it. + supports it. If a directory name is given as the argument, haproxy will automatically search and load bundled files in that directory. + It is however recommended to move away from bundle loading, especially if you + want to use the runtime API to load new certificate which does not support + bundle. A recommended way to migrate is to set `ssl-load-extra-file` + parameter to `none` in global config so that each certificate is loaded as a + single one. OSCP files (.ocsp) and issuer files (.issuer) are supported with multi-cert bundling. Each certificate can have its own .ocsp and .issuer file. At this diff --git a/doc/management.txt b/doc/management.txt index adbad95d3..42e8ddbca 100644 --- a/doc/management.txt +++ b/doc/management.txt @@ -1725,6 +1725,10 @@ new ssl cert Create a new empty SSL certificate store to be filled with a certificate and added to a directory or a crt-list. This command should be used in combination with "set ssl cert" and "add ssl crt-list". + Note that bundle certificates are not supported; it is recommended to use + `ssl-load-extra-file none` in global config to avoid loading certificates as + bundle and then mixing with single certificates in the runtime API. This will + avoid confusion, especailly when it comes to the `commit` command. prompt Toggle the prompt at the beginning of the line and enter or leave interactive -- 2.28.0