It would be great : tons of ssl that make haproxy very long to start/restart/reload.
2016-10-11 10:04 GMT+02:00 Thierry Fournier <thierry.fourn...@ozon.io>: > Hi list, > > I have for projet to write a dynamic update of the SSL certificates. I > encountered some cases where haproxy deals with many websites, and it > should ne great if we can replace / add certificate without restarting > HAProxy. > > I'm looking for some opinions or advices. > > I need to: > > - list the currently loaded certificates ID (embedding ECDSA). > > - add or replace certificates embedding the 3 certificates version > RSA/DSA/ECDSA and the sni filter. > > - Delete SNI entries (and the certificates if it is the last one) > > For the listing of the certificate, I need to scan the content of the > OpenSSL SSL_CTX and extract the certificates ID. It seems impossible, > Openssl not seems to give method fo doing this. So I proposed to > memorize the certificates ID when each certificate is added in a > SSL_CTX. > > For the list: > > show ssl [proxy/listener] > > This command lst all certificates by SNI for a listener. If the > proxy/listener is not precised, the command list availables proxy, and > listeners. > > > For the replacement or update, I propose some CLI commands like this: > > set ssl certificate begin proxy/listener [sni filters] > > This commande creates a new SSL context will be filled with the > following commands. If a previous context exists it is destroyed. This > is incompatible with concurrent access to the cli. > > set ssl certificate (any|rsa|ecdsa|dsa) > <dump PEM certificate containg cert, intermediates and private key> > EOF > > The difficulty is to mark the end of the certificate, so I propose to > mark en end with the string "\nEOF\n". > > set ssl certificate commit > > This command validates, install new certificates and remove old > certificates. > > > And finaly this command destroy existing certificate: > > del ssl certificate proxy/listener id > > Any ideas or comments ? > > Thanks > Thierry > > -- > Thierry Fournier > m: +33 6 68 69 21 85 | e: thierry.fourn...@ozon.io > w: http://www.ozon.io/ | b: http://blog.ozon.io/ >
