Are you reloading HAProxy or issuing a 'set ssl ocsp-response' command via the stats socket after you retrieve the response? That's necessary after you pull down an updated OCSP response.
For example, here's our script that pulls down the OCSP response then loads it in via the stats socket: https://gist.github.com/ahayworth/e27e12bd0f9d9f10f3c2 On Tue, Jun 2, 2015 at 1:29 PM, Shawn Heisey <hapr...@elyograg.org> wrote: > On 6/2/2015 11:42 AM, Lukas Tribus wrote: > > Share your cronjob script, your configuration, and SSLtest output at > least (you > > basically didn't share any OCSP related informations). > > Here's the script that retrieves the OCSP responses, with its redacted > config file: > > https://gist.github.com/elyograg/4b4703c3b7503c1f259e > > Here's the redacted haproxy config: > > https://gist.github.com/elyograg/597fa2427f3039ddfb15 > > > Try to work through this post if you can't post the URL of the site: > > > https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html > > Will do. I'm under NDA for this, so I can't publicly post anything > specific. > > Thanks, > Shawn > > > -- - Andrew Hayworth
