Hi list, I have for projet to write a dynamic update of the SSL certificates. I encountered some cases where haproxy deals with many websites, and it should ne great if we can replace / add certificate without restarting HAProxy.
I'm looking for some opinions or advices. I need to: - list the currently loaded certificates ID (embedding ECDSA). - add or replace certificates embedding the 3 certificates version RSA/DSA/ECDSA and the sni filter. - Delete SNI entries (and the certificates if it is the last one) For the listing of the certificate, I need to scan the content of the OpenSSL SSL_CTX and extract the certificates ID. It seems impossible, Openssl not seems to give method fo doing this. So I proposed to memorize the certificates ID when each certificate is added in a SSL_CTX. For the list: show ssl [proxy/listener] This command lst all certificates by SNI for a listener. If the proxy/listener is not precised, the command list availables proxy, and listeners. For the replacement or update, I propose some CLI commands like this: set ssl certificate begin proxy/listener [sni filters] This commande creates a new SSL context will be filled with the following commands. If a previous context exists it is destroyed. This is incompatible with concurrent access to the cli. set ssl certificate (any|rsa|ecdsa|dsa) <dump PEM certificate containg cert, intermediates and private key> EOF The difficulty is to mark the end of the certificate, so I propose to mark en end with the string "\nEOF\n". set ssl certificate commit This command validates, install new certificates and remove old certificates. And finaly this command destroy existing certificate: del ssl certificate proxy/listener id Any ideas or comments ? Thanks Thierry -- Thierry Fournier m: +33 6 68 69 21 85 | e: thierry.fourn...@ozon.io w: http://www.ozon.io/ | b: http://blog.ozon.io/
