noticed frequent alerts from zabbix about
haproxy restarting on that system and asked me about it. I have never
employed my OCSP updating script on that system ... the only thing the
two systems have in common is my certs webapp. I had forgotten about
the hourly cronjob.
I actually don't need
On Wed, Oct 04, 2023 at 08:52:39AM -0600, Shawn Heisey wrote:
> On 10/4/23 05:34, Remi Tricot-Le Breton wrote:
> > You just have to run the following commands :
> >
> > $ echo "update ssl ocsp-response " | socat
> > /path_to_socket/haproxy.sock -
>
&g
On 10/4/23 05:34, Remi Tricot-Le Breton wrote:
You just have to run the following commands :
$ echo "update ssl ocsp-response " | socat
/path_to_socket/haproxy.sock -
When I do this, the update is successful and shows in the logfile
created by rsyslogd ... but unlike when ha
can't return a status to the CLI command.
In order to check if the update was successful you can display the
contents of the updated OCSP response via the "show ssl
ocsp-response" command. If the response you updated is also set to be
updated automatically, you can also use the &quo
.
In order to check if the update was successful you can display the
contents of the updated OCSP response via the "show ssl ocsp-response"
command. If the response you updated is also set to be updated
automatically, you can also use the "show ssl ocsp-updates" command th
On 30/09/2023 09:20, Shawn Heisey wrote:
On 9/28/23 02:29, Remi Tricot-Le Breton wrote:
That's really strange, the OCSP update mechanism does not have
anything to do with proxies. Are you sure you did not have a crash
and autorestart of your haproxy ?
I did not think that I had autorestart
On 9/28/23 02:29, Remi Tricot-Le Breton wrote:
That's really strange, the OCSP update mechanism does not have anything
to do with proxies. Are you sure you did not have a crash and
autorestart of your haproxy ?
I did not think that I had autorestart for haproxy, but it turns out
Hello,
On 28/09/2023 00:30, Shawn Heisey wrote:
The haproxy -vv output is at the end of this message.
I got the built-in OCSP udpating mechanism working. Works beautifully.
Today I discovered that once an hour when the OCSP gets updated,
haproxy stops all its proxies and starts them back up
The haproxy -vv output is at the end of this message.
I got the built-in OCSP udpating mechanism working. Works beautifully.
Today I discovered that once an hour when the OCSP gets updated, haproxy
stops all its proxies and starts them back up. syslog:
Sep 27 15:00:01 - haproxy[3520801
On 8/15/23 19:17, Tristan wrote:
> A common error that can happen with let's encrypt certificates is if
the DNS
resolution provides an IPv6 address and your system does not have a valid
outgoing IPv6 route. In such a case, you can either create the appropriate
route or set the
Hi Shawn,
See the note at the end of
http://docs.haproxy.org/2.8/configuration.html#5.1-ocsp-update
Specifically:
> A common error that can happen with let's encrypt certificates is if the DNS
resolution provides an IPv6 address and your system does not have a valid
outgoing IPv6 ro
I've got another haproxy install on which I am trying to enable
automatic OCSP updating. The ones I asked about before are personal,
this one is for work.
When haproxy looks up the host where it can get OCSP responses, it is
getting an ipv6 address.
Aug 15 18:27:30 - haproxy[11234] -:- [15
On Mon, Jul 24, 2023 at 07:21:16AM +, Jarno Huuskonen wrote:
> Hello,
>
> On Fri, 2023-07-21 at 17:31 +0200, Remi Tricot-Le Breton wrote:
> > I found the faulty commit for Jarno's issue ("cc346678d MEDIUM: ssl: Add
> > ocsp_certid in ckch structure and discard ocsp
Hello,
On Fri, 2023-07-21 at 17:31 +0200, Remi Tricot-Le Breton wrote:
> I found the faulty commit for Jarno's issue ("cc346678d MEDIUM: ssl: Add
> ocsp_certid in ckch structure and discard ocsp buffer early").
> Here's a patch that should fix it. If you want to try it with y
to identify
what
changed.
I've tested with 'openssl s_client -showcerts -connect mydomain.com:443
-servername mydomain.com -status -tlsextdebug''
Does 2.8.1 send ocsp response if you connect with ipv4 address:
openssl s_client -showcerts -connect ipaddress:443 ...
(with or without -servername
-showcerts -connect mydomain.com:443
-servername mydomain.com -status -tlsextdebug''
Does 2.8.1 send ocsp response if you connect with ipv4 address:
openssl s_client -showcerts -connect ipaddress:443 ...
(with or without -servername)
On 2.6.14 I get an OCSP response, on 2.8.1 I get:
"
On 2023-07-21 11:51, Jarno Huuskonen wrote:
If I change the order of ipv4 / ipv6 binds (so bind ipv6@:::443 name
v6ssl... is first) then haproxy(2.8.1) sends ocsp with ipv6 connection
and
not with ipv4.
Hmmm, I cannot reproduce this, but this might be because I have multiple
frontends
connect mydomain.com:443
> -servername mydomain.com -status -tlsextdebug''
>
Does 2.8.1 send ocsp response if you connect with ipv4 address:
openssl s_client -showcerts -connect ipaddress:443 ...
(with or without -servername)
> On 2.6.14 I get an OCSP response, on 2.8.1 I get:
>
On Thu, Jul 20, 2023 at 08:27:08PM +0200, Sander Klein wrote:
> On 2023-07-20 11:14, William Lallemand wrote:
> > On Thu, Jul 20, 2023 at 10:23:21AM +0200, Sander Klein wrote:
> >> On 2023-07-19 11:00, William Lallemand wrote:
> >> "show ssl ocsp-resons
On 2023-07-20 11:14, William Lallemand wrote:
On Thu, Jul 20, 2023 at 10:23:21AM +0200, Sander Klein wrote:
On 2023-07-19 11:00, William Lallemand wrote:
"show ssl ocsp-resonse" gives me a lot of output like:
Certificate ID key : *LONGID*
Certificate path : /parth/to/cert.pem
Cert
06PM +0200, Sander Klein wrote:
> >> >> Hi,
> >> >>
> >> >> I tried upgrading from 2.6.14 to 2.8.1, but after the upgrade I
> >> >> couldn't
> >> >> connect to any of the sites behind it.
> >> >>
> >&g
t after the upgrade I
>> couldn't
>> connect to any of the sites behind it.
>>
>> While looking at the error it seems like OCSP is not working anymore.
>> Right now I have a setup in which I provision the certificates with
>> the
>> corresponding ocsp file
I
> >> couldn't
> >> connect to any of the sites behind it.
> >>
> >> While looking at the error it seems like OCSP is not working anymore.
> >> Right now I have a setup in which I provision the certificates with
> >> the
> >> co
On 2023-07-17 15:17, William Lallemand wrote:
On Thu, Jul 13, 2023 at 05:01:06PM +0200, Sander Klein wrote:
Hi,
I tried upgrading from 2.6.14 to 2.8.1, but after the upgrade I
couldn't
connect to any of the sites behind it.
While looking at the error it seems like OCSP is not working
On Thu, Jul 13, 2023 at 07:10:29PM -0600, Shawn Heisey wrote:
> On 7/13/23 15:00, Cyril Bonté wrote:
> > Hi Shawn,
> >
> > Le 13/07/2023 à 18:48, Shawn Heisey a écrit :
> >> Looks like on my last edit I deleted it and didn't add it to
> >> defaults, so I was wrong in what I said. It throws a
On Thu, Jul 13, 2023 at 10:48:41AM -0600, Shawn Heisey wrote:
> On 7/12/23 04:13, Remi Tricot-Le Breton wrote:
> > On 11/07/2023 22:22, Shawn Heisey wrote:
> >> On 7/11/23 01:30, Remi Tricot-Le Breton wrote:
> >> That directive didn't work in "global" but it was accepted when I
> >> moved it to
On Thu, Jul 13, 2023 at 05:01:06PM +0200, Sander Klein wrote:
> Hi,
>
> I tried upgrading from 2.6.14 to 2.8.1, but after the upgrade I couldn't
> connect to any of the sites behind it.
>
> While looking at the error it seems like OCSP is not working anymore.
> Rig
On Fri, Jul 14, 2023 at 11:01:16PM +0200, Marcel Menzel wrote:
> Hello List,
>
> Trying to compile HAProxy version 2.8.1 with WolfSSL 5.6.3 results in
> the following error:
>
> src/ssl_sock.c: In function ‘ssl_sock_load_ocsp’:
> src/ssl_sock.c:1117:9: error: unknown type name ‘tlsextStatusCb’
Hello List,
Trying to compile HAProxy version 2.8.1 with WolfSSL 5.6.3 results in
the following error:
src/ssl_sock.c: In function ‘ssl_sock_load_ocsp’:
src/ssl_sock.c:1117:9: error: unknown type name ‘tlsextStatusCb’
1117 | tlsextStatusCb callback;
| ^~
Hi,
On 2023-07-14 01:56, Shawn Heisey wrote:
On 7/13/23 09:01, Sander Klein wrote:
I tried upgrading from 2.6.14 to 2.8.1, but after the upgrade I
couldn't connect to any of the sites behind it.
While looking at the error it seems like OCSP is not working anymore.
Right now I have a setup
On 7/13/23 17:56, Shawn Heisey wrote:
I do still use this script on one of my servers where I can't get
haproxy's built-in ocsp updating to work right. It is haproxy 2.8.1.
A few minutes ago, I fixed the problem on that server with haproxy's
built-in OCSP updater, so the script is officially
On 7/13/23 15:00, Cyril Bonté wrote:
Hi Shawn,
Le 13/07/2023 à 18:48, Shawn Heisey a écrit :
Looks like on my last edit I deleted it and didn't add it to
defaults, so I was wrong in what I said. It throws a different error
when added to defaults:
Because it should be in the global section,
On 7/13/23 09:01, Sander Klein wrote:
I tried upgrading from 2.6.14 to 2.8.1, but after the upgrade I couldn't
connect to any of the sites behind it.
While looking at the error it seems like OCSP is not working anymore.
Right now I have a setup in which I provision the certificates
Hi Shawn,
Le 13/07/2023 à 18:48, Shawn Heisey a écrit :
Looks like on my last edit I deleted it and didn't add it to defaults,
so I was wrong in what I said. It throws a different error when added
to defaults:
elyograg@bilbo:~$ sudo haproxy -dD -c -f /etc/haproxy/haproxy.cfg
[NOTICE]
On 7/12/23 04:13, Remi Tricot-Le Breton wrote:
On 11/07/2023 22:22, Shawn Heisey wrote:
On 7/11/23 01:30, Remi Tricot-Le Breton wrote:
That directive didn't work in "global" but it was accepted when I
moved it to "defaults". But it didn't change the behavior. IPv6 is
completely disabled on
Hi,
I tried upgrading from 2.6.14 to 2.8.1, but after the upgrade I couldn't
connect to any of the sites behind it.
While looking at the error it seems like OCSP is not working anymore.
Right now I have a setup in which I provision the certificates with the
corresponding ocsp file next
On 11/07/2023 22:22, Shawn Heisey wrote:
On 7/11/23 01:30, Remi Tricot-Le Breton wrote:
The OCSP update mechanism uses the internal http_client which then
uses the resolvers. The only time when I had some strange
resolver-related issues is when the name resolution returned IPv6
addresses
On 7/11/23 01:30, Remi Tricot-Le Breton wrote:
The OCSP update mechanism uses the internal http_client which then uses
the resolvers. The only time when I had some strange resolver-related
issues is when the name resolution returned IPv6 addresses which were
not properly managed on my machine
On 10/07/2023 22:41, Shawn Heisey wrote:
On 7/8/23 21:33, Shawn Heisey wrote:
Here's the very weird part. It seems that haproxy is sending the
OCSP request to localhost, not the http://r3.o.lencr.org URL that it
SHOULD be sending it to. Right before the above log entry is this one:
Jul
On 7/8/23 21:33, Shawn Heisey wrote:
Here's the very weird part. It seems that haproxy is sending the OCSP
request to localhost, not the http://r3.o.lencr.org URL that it SHOULD
be sending it to. Right before the above log entry is this one:
Jul 8 21:15:38 - haproxy[4075] 127.0.0.1:57696
On 7/8/23 21:33, Shawn Heisey wrote:
Here's the very weird part. It seems that haproxy is sending the OCSP
request to localhost, not the http://r3.o.lencr.org URL that it SHOULD
be sending it to. Right before the above log entry is this one:
Jul 8 21:15:38 - haproxy[4075] 127.0.0.1:57696
tate file would make sense for it?
I seem to remember that it's possible to issue a "show ocsp" on the CLI
and direct it to a file, but I could be wrong. That's the same way the
server-state works by the way.
I'll take a look at it, though the main advantage would be to keep it all in
H
I have a strange problem with OCSP updating. On one server everything
works. That server is in my basement, running Ubuntu 22.04.
Another system, Ubuntu 20.04 in AWS using exactly the same certificates
and exactly the same crt-list file is failing to do an OCSP update.
Jul 8 21:15:38
r state file would make sense for it?
> >
> > I seem to remember that it's possible to issue a "show ocsp" on the CLI
> > and direct it to a file, but I could be wrong. That's the same way the
> > server-state works by the way.
>
> I'll take a look at it
On 07/07/2023 16:34, Willy Tarreau wrote:
On Fri, Jul 07, 2023 at 03:06:52PM +, Tristan wrote:
The ocsp-update option should be between brackets
/etc/haproxy/ssl/mangadex.dev.pem [ocsp-update on] mangadex.dev
*.mangadex.dev
Oh that makes more sense indeed; should have guessed so since
On Fri, Jul 07, 2023 at 03:06:52PM +, Tristan wrote:
> > The ocsp-update option should be between brackets
> > /etc/haproxy/ssl/mangadex.dev.pem [ocsp-update on] mangadex.dev
> > *.mangadex.dev
>
> Oh that makes more sense indeed; should have guessed so since other crt
The ocsp-update option should be between brackets
/etc/haproxy/ssl/mangadex.dev.pem [ocsp-update on] mangadex.dev
*.mangadex.dev
Oh that makes more sense indeed; should have guessed so since other
crt-list bind params used those indeed...
- does the OCSP update mechanism update the files
Hello Tristan,
On 06/07/2023 13:24, Tristan wrote:
Hello,
I'm trying to make use of the new ocsp-update mechanism, and finding
no success (yet).
I've migrated my crt bind arguments to a crt-list argument (+ relevant
file) and that loads in and gets used fine, but despite having
"
Hello,
I'm trying to make use of the new ocsp-update mechanism, and finding no
success (yet).
I've migrated my crt bind arguments to a crt-list argument (+ relevant
file) and that loads in and gets used fine, but despite having
"ocsp-update on" on the lines, I'm not seeing any o
a more simple, less verbose configuration
(ideally just a single global parameter to enable ocsp renewal on bind line)
The scripts I use to renew OCSP are working for years without any
problems, no need to rush here ;)
Gruß
Matthias
--
"Programming today is a race between software engi
ext versions and then you are stuck with something awful.
>
> My concern here, is that the ocsp-update option was never a "bind"
> option, it's a feature which applies on the internal storage part, which
> is not directly exposed in the configuration. So for example if you use
>
Hello,
On Sat, Jun 03, 2023 at 04:28:30PM -0600, Shawn Heisey wrote:
> On 6/3/23 15:37, Shawn Heisey wrote:
> > On 6/3/23 15:28, Shawn Heisey wrote:
> >> So maybe a completely separate global option makes sense. The
> >> crt-list requirement is not really a burden for me, but for someone
> >>
On 6/3/23 15:37, Shawn Heisey wrote:
On 6/3/23 15:28, Shawn Heisey wrote:
So maybe a completely separate global option makes sense. The
crt-list requirement is not really a burden for me, but for someone
who uses a LOT of certificates that change frequently, it probably
would become a
On 6/3/23 15:28, Shawn Heisey wrote:
So maybe a completely separate global option makes sense. The crt-list
requirement is not really a burden for me, but for someone who uses a
LOT of certificates that change frequently, it probably would become a
burden.
Unless it is possible to have a
, but for someone who uses a
LOT of certificates that change frequently, it probably would become a
burden.
A question arises on where to log failures in getting OCSP data. I have
haproxy using two different syslog targets, but the way this config
evolved is lost to time.
TL;DR:
In global, I
irectory.
> >
That's what we've done in the first place, but I decided to remove it
because I was not happy with the architecture. And once you have
something like this, you have to keep the configuration compatibility
for the next versions and then you are stuck with something awful.
; > a few days ago that "ocsp-update" was for crt-list lines only and it's
> > found in the "bind line options" section. And of course, when there are
> > examples, they're not the ones you're looking for, that's classical!
>
> Yep, that's exactly what I said
cStartPre and
> > > ExecReloadPre options in a systemd service file to run your script.
> > >
> > > My certificate files contain the server cert, the issuer cert, the
> > > private key, and DH PARAMETERS that are unique to that cert.
> >
> > maybe add
On Thu, Jun 01, 2023 at 11:42:34PM +0200, Willy Tarreau wrote:
> So this means that the doc is still not clear enough and we need to
> improve this. And indeed, I'm myself confused because William told me
> a few days ago that "ocsp-update" was for crt-list lines only and it's
&
Hi.
On 2023-06-02 (Fr.) 22:42, Lukas Tribus wrote:
On Fri, 2 Jun 2023 at 21:55, Willy Tarreau wrote:
Initially during the design phase we thought about having 3 states:
"off", "on", "auto", with the last one only enabling updates for certs
that already had a .oc
On Fri, 2 Jun 2023 at 21:55, Willy Tarreau wrote:
> Initially during the design phase we thought about having 3 states:
> "off", "on", "auto", with the last one only enabling updates for certs
> that already had a .ocsp file. But along dis
> > My certificate files contain the server cert, the issuer cert, the
> > private key, and DH PARAMETERS that are unique to that cert.
>
> maybe adding a global configuration parameter to enable ocsp retrieval for
> all certificates?
Initially during the design phase we tho
.
maybe adding a global configuration parameter to enable ocsp retrieval
for all certificates?
Adding an additional script does not make sense to me. If this would be
required a keep with the current setup that proved to work fine.
Gruß
Matthias
--
"Programming today is a race between sof
On 6/1/23 16:19, Shawn Heisey wrote:
I asked ChatGPT for help, and with that info, I was able to work out
what to do.
-
elyograg@smeagol:/etc/haproxy$ cat crt-list.txt
/etc/ssl/certs/local/REDACTED1.combined.pem [ocsp-update on]
/etc/ssl/certs/local/REDACTED2.combined.pem [ocsp-update
On 6/1/23 15:42, Willy Tarreau wrote:
So this means that the doc is still not clear enough and we need to
improve this. And indeed, I'm myself confused because William told me
a few days ago that "ocsp-update" was for crt-list lines only and it's
found in the "bind line o
On Thu, Jun 01, 2023 at 03:30:36PM -0600, Shawn Heisey wrote:
> On 5/31/23 23:25, Matthias Fechner wrote:
> > I just saw in the release notes for 2.8 that an automatic OCSP renewal
> > is now included and I would like to get rid of my manual scripts that
> > are current
On 5/31/23 23:25, Matthias Fechner wrote:
I just saw in the release notes for 2.8 that an automatic OCSP renewal
is now included and I would like to get rid of my manual scripts that
are currently injecting the OCSP information.
I checked a little bit the documentation here:
https
Dear all,
I just saw in the release notes for 2.8 that an automatic OCSP renewal
is now included and I would like to get rid of my manual scripts that
are currently injecting the OCSP information.
I checked a little bit the documentation here:
https://docs.haproxy.org/2.8/configuration.html
On Fri, Nov 05, 2021 at 01:30:53PM +0100, Marco Corte wrote:
> Subject: Re: OCSP with dynamic SSL storage
>
> Il 2021-11-05 13:11 Marco Corte ha scritto:
> > Hi all.
> >
> > I have a bind section that contains
> > ... ssl crt ZZZ.pem ...
> >
&g
Il 2021-11-05 13:11 Marco Corte ha scritto:
Hi all.
I have a bind section that contains
... ssl crt ZZZ.pem ...
where ZZZ.pem is actually a full path.
If I upload a new certificate/key to ZZZ.pem and a corresponding OCSP
response to ZZZ.pem.ocsp and do a
# systemctl reload
Hi all.
I have a bind section that contains
... ssl crt ZZZ.pem ...
where ZZZ.pem is actually a full path.
If I upload a new certificate/key to ZZZ.pem and a corresponding OCSP
response to ZZZ.pem.ocsp and do a
# systemctl reload haproxy.service
then the certificate and the OCSP
checks revocation status with the CA regardless of
the EV certificate being OCSP stapled or not and regardless of Chrome having
the certificate and/or a "not revoked" OCSP response in its local cache
Best regards,
i.A. Thomas Bätzler
--
BRINGE Informationstechnik GmbH
Zur Seepl
Hi,
Im trying to get OCSP stapling to work on haproxy 2.2.9 and Im out of my
depth. Ive set up a test installation with a Lets Encrypt certificate,
concatenated key and full chain to build a bundle and generated the OCSP
file using https://github.com/pierky/haproxy-ocsp-stapling-updater.git
On Mon, Oct 26, 2020 at 02:32:20PM +0100, ehoc...@club-internet.fr wrote:
> Hi,
>
> It's a fix for a regression with OCSP and BoringSSL.
> OCSP work with BorginSSL, not at the same way than openssl, but it work:
> OCSP data is simply link to CTX context.
>
> ++
> Manu
&
it should backported to 2.2, 2.1, right ?
пн, 26 окт. 2020 г. в 18:35, :
> Hi,
>
> It's a fix for a regression with OCSP and BoringSSL.
> OCSP work with BorginSSL, not at the same way than openssl, but it work:
> OCSP data is simply link to CTX context.
>
> ++
> Manu
>
>
>
Hi,
It's a fix for a regression with OCSP and BoringSSL.
OCSP work with BorginSSL, not at the same way than openssl, but it work:
OCSP data is simply link to CTX context.
++
Manu
0001-BUG-MEDIUM-ssl-OCSP-must-work-with-BoringSSL.patch
Description: Binary data
ndles are seen as separate files, and the bundle extension is
>required to commit them.
>
> - OSCP files (.ocsp), issuer files (.issuer), Certificate Transparency
> (.sctl)
> + OCSP files (.ocsp), issuer files (.issuer), Certificate Transparency
> (.sctl)
>
index b01129f8f..a98284da3 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1423,7 +1423,7 @@ ssl-load-extra-files
*
On the CLI, bundles are seen as separate files, and the bundle extension is
required to commit them.
- OSCP files (.ocsp), issuer files (.issuer
Op 15-10-2019 om 13:52 schreef William Lallemand:
I pushed the fix.
Thanks
Fix confirmed. Thank you.
On Tue, Oct 15, 2019 at 08:17:43AM +0200, William Lallemand wrote:
> Hi Pieter,
>
> On Mon, Oct 14, 2019 at 11:27:02PM +0200, PiBa-NL wrote:
> > # haproxy -f ./PB-TEST/ultimo_testcase/xxx/haproxy.cfg -d
> > [ALERT] 286/223026 (39111) : parsing
> > [./PB-TEST/ultimo_testcase/xxx/haproxy.cfg:61] :
Hi Pieter,
On Mon, Oct 14, 2019 at 11:27:02PM +0200, PiBa-NL wrote:
> # haproxy -f ./PB-TEST/ultimo_testcase/xxx/haproxy.cfg -d
> [ALERT] 286/223026 (39111) : parsing
> [./PB-TEST/ultimo_testcase/xxx/haproxy.cfg:61] : 'bind 0.0.0.0:443' :
> 'crt-list' : error processing line 1 in file
>
Hi William,
I'm having an issue with the latest master code 2.1-dev2-4a66013. It
does compile but doesn't want to load my crt-list with .ocsp files
present for the certificates mentioned. The commit that broke this is:
246c024
# haproxy -v
HA-Proxy version 2.1-dev2-4a66013 2019/10/14
14-1ppa1~xenial 2018/09/23
>>>> Copyright 2000-2018 Willy Tarreau
>>>>
>>>> I noticed that in case of multiple domains and OCSP setup:
>>>>
>>>> # ls -1 /etc/haproxy/ssl.d/*.ocsp
>>>> /etc/haproxy/ssl.d/star_domain2_com.crt.
2018/09/23
>> Copyright 2000-2018 Willy Tarreau
>>
>> I noticed that in case of multiple domains and OCSP setup:
>>
>> # ls -1 /etc/haproxy/ssl.d/*.ocsp
>> /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp
>> /etc/haproxy/ssl.d/star_domain_com.crt.ocsp
>> /etc
au <mailto:wi...@haproxy.org>>
>
> I noticed that in case of multiple domains and OCSP setup:
>
> # ls -1 /etc/haproxy/ssl.d/*.ocsp
> /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp
> /etc/haproxy/ssl.d/star_domain_com.crt.ocsp
> /etc/h
On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov
wrote:
> Hi,
>
> # haproxy -v
> HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23
> Copyright 2000-2018 Willy Tarreau
>
> I noticed that in case of multiple domains and OCSP setup:
>
> # ls -1 /etc/haproxy/ssl.d/
Hi,
# haproxy -v
HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23
Copyright 2000-2018 Willy Tarreau
I noticed that in case of multiple domains and OCSP setup:
# ls -1 /etc/haproxy/ssl.d/*.ocsp
/etc/haproxy/ssl.d/star_domain2_com.crt.ocsp
/etc/haproxy/ssl.d/star_domain_com.crt.ocsp
/etc/haproxy
April 2019). That thing is left
> > behind on 1.0.1f with security updates being ported from upstream,
> > but seemingly nothing more.
>
> Building OpenSSL 1.0.1f from source results in the CMS consistency
> test failing due to an expired certificate in the test suite; buil
; but seemingly nothing more.
Building OpenSSL 1.0.1f from source results in the CMS consistency
test failing due to an expired certificate in the test suite; building
HAProxy against it resulted in no OCSP responses. Building OpenSSL
1.0.1u from source went well; building HAProxy against it resulted
ially set to EOL in April 2019). That thing is left
behind on 1.0.1f with security updates being ported from upstream, but
seemingly nothing more. Using Ubuntu 16.04 Xenial which ships OpenSSL
1.0.2g delivers OCSP Status responses as expected. I will try to see
if this is an actual issue with Open
Hello,
We were using HAProxy 1.7 for a while in combination with a cron job
that fetches OCSP Staple data, stores it with the certificates as
.ocsp files per the [documentation][] and then uses 'set ssl
ocsp-response' on the administration [socket][] to update the running
server instance. We
Hi guys,
On Tue, Oct 24, 2017 at 03:25:28PM +0200, Emmanuel Hocdet wrote:
> Thanks to spotted this!
> patch could be also:
(...)
Indeed I find this version safer, it also covers all other cases.
Now applied, thanks Sander for reporting and fixing it!
Willy
; Hi Emeric,
>>>
>>>
>>> ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status
>>> is a correct status and ocsp response should not be dropped.
>>> In case of certificate with OCSP must-stapling extension, response with
>>> 'revoked
Hi Willy,
On 10/22/2017 10:02 AM, Willy Tarreau wrote:
> Hi Manu,
>
> On Tue, Oct 10, 2017 at 03:44:07PM +0200, Emmanuel Hocdet wrote:
>> Hi Emeric,
>>
>>
>> ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status
>> is a correct status
Hi Manu,
On Tue, Oct 10, 2017 at 03:44:07PM +0200, Emmanuel Hocdet wrote:
> Hi Emeric,
>
>
> ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status
> is a correct status and ocsp response should not be dropped.
> In case of certificate with OCSP must-stapling e
Felt bad about not including a documentation patch, so here it is.
Changes:
- Clarifies that HAProxy does not fetch OCSP responses. Apache just has a
couple of set-and-forget directives that handle everything for you, so this
was definitely non-obvious to me.
- Removes mention of needing
I'm guessing they're
pre-generating the responses in chunks. HAProxy didn't like it:
"OCSP response ignored because contains multiple single responses (20).
Content will be ignored."
I did see the comment in src/ssl_sock.c. "Note: OCSP response containing
more than one OCSP Sing
Hi Emeric,
ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status
is a correct status and ocsp response should not be dropped.
In case of certificate with OCSP must-stapling extension, response with
'revoked' status must be provided as well as 'good' status.
++
Manu
0001-MINOR
On Wed, Sep 20, 2017 at 4:00 PM, Jarno Huuskonen <jarno.huusko...@uef.fi>
wrote:
> Hi,
>
> On Wed, Sep 20, Igor Cicimov wrote:
> > I've been running haproxy with OCSP stapling for some time with a single
> > ssl certificate. Now I'm trying to enable the same for multi
Hi,
On Wed, Sep 20, Igor Cicimov wrote:
> I've been running haproxy with OCSP stapling for some time with a single
> ssl certificate. Now I'm trying to enable the same for multiple
> certificates but am getting an error:
>
> OCSP single response: Certificate ID does not match
1 - 100 of 169 matches
Mail list logo