Re: OCSP with dynamic SSL storage
On Fri, Nov 05, 2021 at 01:30:53PM +0100, Marco Corte wrote: > Subject: Re: OCSP with dynamic SSL storage > > Il 2021-11-05 13:11 Marco Corte ha scritto: > > Hi all. > > > > I have a bind section that contains > > ... ssl crt ZZZ.pem ... > > > > where ZZZ.pem is actually a full path. > > > > If I upload a new certificate/key to ZZZ.pem and a corresponding OCSP > > response to ZZZ.pem.ocsp and do a > > > > # systemctl reload haproxy.service > > > > > > then the certificate and the OCSP stapling are correct. > > Moreover I can update the OCSP, when needed > > > > # printf "set ssl ocsp-response <<\n$(base64 ZZZ.pem.ocsp)\n\n" | > > socat /run/haproxy/admin.sock stdio > > OCSP Response updated! > > > > > > > > If, after updating the files, I use the following procedure, I am not > > able to update the OCSP response > > > > # printf "set ssl cert ZZZ.pem <<\n$(cat ZZZ.pem\n\ncommit ssl cert > > ZZZ.pem\n" | socat /run/haproxy/admin.sock stdio > > Transaction created for certificate ZZZ.pem! > > > > Committing ZZZ.pem.. > > Success! > > > > # printf "set ssl ocsp-response <<\n$(base64 ZZZ.pem.ocsp)\n\n" | > > socat /run/haproxy/admin.sock stdio > > OCSP single response: Certificate ID does not match any certificate or > > issuer. > > > > > > Since the two files ZZZ.pem and ZZZ.pem.ocsp are always the same, I > > suspect that I am doing something wrong. > > Am I skipping any step? > > > > Thank you > > Ciao! > > > > .marcoc > > > > Please note that I may have messed up with some commands while > > anonymizing them in this email. > > I forgot to mention the version: haproxy v2.4.8 on Ubuntu 18.04 > Hello, Sorry for the late reply, when updating a certificate dynamically it is recommended to update its .ocsp at the same time before committing, so it could add again the Certificate ID in the OCSP tree. It's the only HAProxy can know that OCSP was activated. Once its done, you can use the "set ssl ocsp-response", like you were using before. Look at the example in the documentation: https://cbonte.github.io/haproxy-dconv/2.4/management.html#9.3-set%20ssl%20cert Regards, -- William Lallemand
Re: OCSP with dynamic SSL storage
Il 2021-11-05 13:11 Marco Corte ha scritto: Hi all. I have a bind section that contains ... ssl crt ZZZ.pem ... where ZZZ.pem is actually a full path. If I upload a new certificate/key to ZZZ.pem and a corresponding OCSP response to ZZZ.pem.ocsp and do a # systemctl reload haproxy.service then the certificate and the OCSP stapling are correct. Moreover I can update the OCSP, when needed # printf "set ssl ocsp-response <<\n$(base64 ZZZ.pem.ocsp)\n\n" | socat /run/haproxy/admin.sock stdio OCSP Response updated! If, after updating the files, I use the following procedure, I am not able to update the OCSP response # printf "set ssl cert ZZZ.pem <<\n$(cat ZZZ.pem\n\ncommit ssl cert ZZZ.pem\n" | socat /run/haproxy/admin.sock stdio Transaction created for certificate ZZZ.pem! Committing ZZZ.pem.. Success! # printf "set ssl ocsp-response <<\n$(base64 ZZZ.pem.ocsp)\n\n" | socat /run/haproxy/admin.sock stdio OCSP single response: Certificate ID does not match any certificate or issuer. Since the two files ZZZ.pem and ZZZ.pem.ocsp are always the same, I suspect that I am doing something wrong. Am I skipping any step? Thank you Ciao! .marcoc Please note that I may have messed up with some commands while anonymizing them in this email. I forgot to mention the version: haproxy v2.4.8 on Ubuntu 18.04
OCSP with dynamic SSL storage
Hi all. I have a bind section that contains ... ssl crt ZZZ.pem ... where ZZZ.pem is actually a full path. If I upload a new certificate/key to ZZZ.pem and a corresponding OCSP response to ZZZ.pem.ocsp and do a # systemctl reload haproxy.service then the certificate and the OCSP stapling are correct. Moreover I can update the OCSP, when needed # printf "set ssl ocsp-response <<\n$(base64 ZZZ.pem.ocsp)\n\n" | socat /run/haproxy/admin.sock stdio OCSP Response updated! If, after updating the files, I use the following procedure, I am not able to update the OCSP response # printf "set ssl cert ZZZ.pem <<\n$(cat ZZZ.pem\n\ncommit ssl cert ZZZ.pem\n" | socat /run/haproxy/admin.sock stdio Transaction created for certificate ZZZ.pem! Committing ZZZ.pem.. Success! # printf "set ssl ocsp-response <<\n$(base64 ZZZ.pem.ocsp)\n\n" | socat /run/haproxy/admin.sock stdio OCSP single response: Certificate ID does not match any certificate or issuer. Since the two files ZZZ.pem and ZZZ.pem.ocsp are always the same, I suspect that I am doing something wrong. Am I skipping any step? Thank you Ciao! .marcoc Please note that I may have messed up with some commands while anonymizing them in this email.
