Hello William, On 10.12.20 15:55, William Lallemand wrote: >> As far as I can see the "set ssl cert fullchain.pem.ocsp" method is >> *generally* suitable to update ocsp responses and can be used as a drop >> in replacement for the "set ssl ocsp-response" method, which is not >> working correctly in the case, where the intermediate cert changed? >> > The "set ssl cert" method generates the new SSL context the same way it > is done with a reload. So it's a little bit heavier than just updating > the OCSP response. > > If you commit the certificate without the .ocsp, it's like you > reloaded haproxy with the previous .ocsp file.
thank you for the clarification! What I'm finally wondering: The need for running a "set ssl cert fullchain.pem.ocsp" is not intended but instead the matching ocsp response *should* be loaded again automatically, if a certificate (with or without intermediate cert changes) was replaced right? If you want I can file an issue to track this. Björn
