On Sat, Sep 26, 2020 at 01:35:52PM +0200, William Dauchy wrote:
> especially when starting to use `new ssl cert` runtime API, it might
> become a bit confusing for users to mix bundle and single cert,
> especially when it comes to use the commit command:
> - start the process with `crt` loading a bundle
> - use `set ssl cert my_cert.pem.ecdsa`: API detects it as a replacement
> of a bundle.
> - `commit` has to be done on the bundle: `commit ssl cert my_cert.pem`
> - add a new cert: `new ssl cert my_cert.pem.rsa`: added as a single
> - `commit` has to be done on the certificate: `commit ssl cert
> this should resolve github issue #872
> this should probably be backported in >= v2.2 in order to encourage
> people to move away from bundle certificates loading.
> Signed-off-by: William Dauchy
> doc/configuration.txt | 7 ++-
> doc/management.txt| 4
> 2 files changed, 10 insertions(+), 1 deletion(-)
> diff --git a/doc/configuration.txt b/doc/configuration.txt
> index 97ff2e499..87f35e984 100644
> --- a/doc/configuration.txt
> +++ b/doc/configuration.txt
> @@ -12560,10 +12560,15 @@ crt
>connecting with "ecdsa.example.com" will only be able to use ECDSA cipher
>suites. With BoringSSL and Openssl >= 1.1.1 multi-cert is natively
>no need to bundle certificates. ECDSA certificate will be preferred if
> - support it.
> + supports it.
>If a directory name is given as the argument, haproxy will
>automatically search and load bundled files in that directory.
> + It is however recommended to move away from bundle loading, especially if
> + want to use the runtime API to load new certificate which does not support
> + bundle. A recommended way to migrate is to set `ssl-load-extra-file`
> + parameter to `none` in global config so that each certificate is loaded as
> + single one.
>OSCP files (.ocsp) and issuer files (.issuer) are supported with multi-cert
>bundling. Each certificate can have its own .ocsp and .issuer file. At this
> diff --git a/doc/management.txt b/doc/management.txt
> index adbad95d3..42e8ddbca 100644
> --- a/doc/management.txt
> +++ b/doc/management.txt
> @@ -1725,6 +1725,10 @@ new ssl cert
>Create a new empty SSL certificate store to be filled with a certificate
>added to a directory or a crt-list. This command should be used in
>combination with "set ssl cert" and "add ssl crt-list".
> + Note that bundle certificates are not supported; it is recommended to use
> + `ssl-load-extra-file none` in global config to avoid loading certificates
> + bundle and then mixing with single certificates in the runtime API. This
> + avoid confusion, especailly when it comes to the `commit` command.
>Toggle the prompt at the beginning of the line and enter or leave
I don't think that's the good approach for 2.3, I replied on the github