Hello, On Wed, Jun 17, 2020 at 03:28:19PM +0300, tbn wrote: > Hello list, > > I saw William Lallemand's announcement regarding the possibility of > loading dynamic ssl certificates right here > https://www.mail-archive.com/haproxy@formilux.org/msg36927.html and > the idea of having so much control over the haproxy instance was > intriguing. > > I've set up a test instance of the latest 2.2-dev9 to test out this > feature and I seem to have hit a bump in the road. I am an usure if I > misunderstood what was supposed to happen, or if I've stumbled across > a bug. In my configuration file, I'm instructing haproxy to load all > existing certificates from a folder and I'm trying to load a new > certificate using the new "new ssl cert/add ssl cert/commit ssl cert" > commands through the haproxy socket. The domain with the certificate > loaded manually seems to have SNI problems until haproxy is restarted > and the certificate is read from the crt folder. > > I'm using foo.com and bar.com as example domains. The one that > haproxy loads from the folder is generated and self-signed (foo.com), > while the one I'm trying to load is valid and issued by let's encrypt > (bar.com). > > I've used a slight variation of the config file found in > reg-tests/ssl/set_ssl_cert.vtc as follows: > ------------------------------------------------------[Start]------------------------------------------------------ > global > maxconn 4096 > user root > group root > daemon > log 127.0.0.1 local0 debug > stats socket "/tmp/stats" level admin > > # Default SSL material locations > ca-base /etc/ssl/certs > crt-base /etc/ssl/private > > tune.ssl.default-dh-param 2048 > > defaults > log global > mode http > option httplog > option dontlognull > retries 3 > option redispatch > option http-server-close > option forwardfor > timeout connect 5000 > timeout client 50000 > timeout server 50000 > > > listen https-in > bind :443 transparent ssl strict-sni crt /etc/haproxy/ssl alpn > h2,http/1.1 > default_backend something > > backend something > mode http > server web 192.168.1.144:80 check > ------------------------------------------------------[End]------------------------------------------------------ > > Haproxy starts succesfully and the pre-existing certificate in the > /etc/haproxy/ssl is present and loaded: > > ------------------------------------------------------[Start]------------------------------------------------------ > ]# haproxy -d -f /etc/haproxy/haproxy.cfg > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result FAILED > Total: 3 (2 usable), will use epoll. > > Available filters : > [SPOE] spoe > [COMP] compression > [TRACE] trace > [CACHE] cache > [FCGI] fcgi-app > Using epoll() as the polling mechanism. > ------------------------------------------------------[Middle]------------------------------------------------------ > ]# echo -e "show ssl cert" | socat /tmp/stats stdio > # filename > /etc/haproxy/ssl/foo.com.pem > > ]# echo -e "show ssl cert /etc/haproxy/ssl/foo.com.pem" | socat /tmp/stats > stdio > Filename: /etc/haproxy/ssl/foo.com.pem > *Status: Used* > Serial: DA0AD0EC8F6C0C30 > notBefore: Nov 8 15:31:08 2019 GMT > notAfter: Dec 8 15:31:08 2019 GMT > Subject Alternative Name: > Algorithm: RSA2048 > SHA1 FingerPrint: 81D4AF40722F5F7C704E3327C5695F78DA6DC1E0 > Subject: > /C=RO/ST=SomeState/L=Locality/O=OrganizationalOrg/OU=OrzanizatoricUnit/CN=foo.pem > Issuer: > /C=RO/ST=SomeState/L=Locality/O=OrganizationalOrg/OU=OrzanizatoricUnit/CN=foo.pem > ------------------------------------------------------[End]------------------------------------------------------ > Certificate status is "Used", browser loads "foo.com" with the proper > certificate" > > Next I've tried inserting "bar.com" into a running haproxy: > ------------------------------------------------------[Start]------------------------------------------------------ > ]# cat /root/certificates/bar.com/fullchain.pem > /root/certificates/bar.com/privkey.pem | sed '/^$/d' > > /etc/haproxy/ssl/bar.com.pem > ]# echo -e "new ssl cert /etc/haproxy/ssl/bar.com.pem" | socat /tmp/stats > stdio > New empty certificate store '/etc/haproxy/ssl/bar.com.pem'! > > # echo -e "set ssl cert /etc/haproxy/ssl/bar.com.pem <<\n$(cat > /etc/haproxy/ssl/bar.com.pem)\n" | socat /tmp/stats stdio > Transaction created for certificate /etc/haproxy/ssl/bar.com.pem! > > ]# echo -e "commit ssl cert /etc/haproxy/ssl/bar.com.pem" | socat > /tmp/stats stdio > Committing /etc/haproxy/ssl/bar.com.pem > Success! > ------------------------------------------------------[End]------------------------------------------------------ > > Everything seems to have worked successfully, although the certificate > shows up as "Unused": > ------------------------------------------------------[Start]------------------------------------------------------ > ]# echo -e "show ssl cert /etc/haproxy/ssl/bar.com.pem" | socat /tmp/stats > stdio > Filename: /etc/haproxy/ssl/bar.com.pem > *Status: Unused* > Serial: 0315D3DD8EAB437293870474AB2B7055699B > notBefore: Jun 16 20:30:03 2020 GMT > notAfter: Sep 14 20:30:03 2020 GMT > Subject Alternative Name: DNS:*.bar.com, DNS:bar.com > Algorithm: RSA2048 > SHA1 FingerPrint: 5AEECEA0218C07B8D9E4D1B248FB1614C32B79DE > Subject: /CN=bar.com > Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > Chain Subject: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > Chain Issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3 > ------------------------------------------------------[End]------------------------------------------------------ >
With these commands you created a certificate storage, but the certificate is unused because it is not associated with any bind line. To do so, you should add your certificate to a crt-list or a directory. In your configuration file, "/etc/haproxy/ssl/" is the directory associated to your bind line. To associate this file to your directory you must do: "add ssl crt-list /etc/haproxy/ssl/ /etc/haproxy/ssl/bar.com.pem" as documented here: https://cbonte.github.io/haproxy-dconv/2.2/management.html#add%20ssl%20crt-list Regards, -- William Lallemand