On 6/1/23 16:19, Shawn Heisey wrote:
I asked ChatGPT for help, and with that info, I was able to work out
what to do.
-
elyograg@smeagol:/etc/haproxy$ cat crt-list.txt
/etc/ssl/certs/local/REDACTED1.combined.pem [ocsp-update on]
/etc/ssl/certs/local/REDACTED2.combined.pem [ocsp-update on]
-
Instead of two "crt" options, I now have "crt-list
/etc/haproxy/crt-list.txt" on each bind line. Haproxy handles getting
and updating the OCSP response for stapling. It's beautiful.
@Matthias I have no idea whether crt-list can load all certs in a
directory like crt can. If it can't, then you will probably need a
script for starting/restarting haproxy that generates the cert list
file. If you wantthat script to be automatically run whenever someone
does `systemctl restart haproxy`, you could use the ExecStartPre and
ExecReloadPre options in a systemd service file to run your script.
My certificate files contain the server cert, the issuer cert, the
private key, and DH PARAMETERS that are unique to that cert.
Thanks,
Shawn
