Hello,
On Mon, Apr 20, 2020 at 03:15:57PM +0200, Domenico Briganti wrote: > Ciao Marco, thanks for your help. > We've found the problem, we do need also the CRL from ROOT CA on top of > the file passed to crl-file parameter, thant contein already the > intermediate crl. > But now we have another challenges, but we're going to loose this time > as already discussed in [1] and [2]. > We proxy MQTT connections, and wa can't afford a restart of haproxy > every day to force haproxy to take the updated CRL... > Any help? > Regards,Domenico > [1] > https://discourse.haproxy.org/t/crl-reload-and-long-life-tcp-connections/2645/2[2 > ] > https://discourse.haproxy.org/t/ssl-termination-fails-when-crl-is-published/2336 Indeed a reload of HAProxy is still required, but that shouldn't be a problem. With the reload, active connections won't be killed. You just need to configure the seamless reload by adding the option "expose-fd listeners" to your stats socket line, this way you won't have impact on your service. There is currently some active development on the CLI for pushing certificates on-the-fly, the CRL is not available for this yet, but could be added in the future. Regards, -- William Lallemand
