On 7/13/23 09:01, Sander Klein wrote:
I tried upgrading from 2.6.14 to 2.8.1, but after the upgrade I couldn't
connect to any of the sites behind it.
While looking at the error it seems like OCSP is not working anymore.
Right now I have a setup in which I provision the certificates with the
corresponding ocsp file next to it. If this not supported anymore?
Does your certificate have "must-staple" configured? That is the only
way I can imagine an OCSP problem would keep websites from working. I
do ocsp stapling with haproxy, but I don't use "must-staple". I do not
believe that ocsp stapling is supported widely enough yet to declare
that it MUST happen.
If you are relying only on the .ocsp file and are not informing haproxy
when there is a new response, then you have to restart (or maybe reload)
haproxy when you update the ocsp file. If you don't, then the ocsp
response that haproxy is using will quickly expire in a matter of days,
as the .ocsp file is only read at startup.
I uploaded a script to github. This is the script I used before haproxy
gained the ability to do its own OCSP updates. The script updates the
.ocsp file(s) and informs haproxy about the new response(s) so haproxy
does not need to be restarted.:
https://github.com/elyograg/haproxy-ocsp-elyograg
The script relies on mktemp, openssl, socat, and base64.
I do still use this script on one of my servers where I can't get
haproxy's built-in ocsp updating to work right. It is haproxy 2.8.1.
Thanks,
Shawn
