On 2023-07-19 11:00, William Lallemand wrote:
On Mon, Jul 17, 2023 at 08:12:59PM +0200, Sander Klein wrote:
On 2023-07-17 15:17, William Lallemand wrote:
> On Thu, Jul 13, 2023 at 05:01:06PM +0200, Sander Klein wrote:
>> Hi,
>>
>> I tried upgrading from 2.6.14 to 2.8.1, but after the upgrade I
>> couldn't
>> connect to any of the sites behind it.
>>
>> While looking at the error it seems like OCSP is not working anymore.
>> Right now I have a setup in which I provision the certificates with
>> the
>> corresponding ocsp file next to it. If this not supported anymore?
>
> This is supposed to still be working, however we could have introduced
> bugs when building the ocsp-update. Are you seeing errors during the
> OCSP file loading?
I don't see any errors, not even when I start haproxy by hand with
'-d'.
It's just like the ocsp isn't used at al. Also started haproxy with
strace attached and I see the ocsp files are loaded.
Regards,
Sander
Did you check with "show ssl ocsp-response" ?
http://docs.haproxy.org/2.8/management.html#show%20ssl%20ocsp-response
"show ssl ocsp-resonse" gives me a lot of output like:
Certificate ID key : *LONGID*
Certificate path : /parth/to/cert.pem
Certificate ID:
Issuer Name Hash: *HASH*
Issuer Key Hash: *ANOTHERHASH*
Serial Number: *SERIAL*
So I guess that's correct. But then I do a request for a site I get:
Jul 20 10:14:30 some.hostname.nl haproxy[452783]: x.x.x.x:54404
[20/Jul/2023:10:14:30.375] cluster1-in/3: SSL handshake failure
(error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate)
Downgrading to 2.6.14 fixes it again.
Sander