problem with automatic OCSP update -- getting ipv6 address for ocsp endpoint

Tue, 15 Aug 2023 17:36:45 -0700

I've got another haproxy install on which I am trying to enable automatic OCSP updating. The ones I asked about before are personal, this one is for work.
When haproxy looks up the host where it can get OCSP responses, it is getting an ipv6 address. 


Aug 15 18:27:30 - haproxy[11234] -:- [15/Aug/2023:18:27:30.103] 
<OCSP-UPDATE> /etc/ssl/certs/local/imat_us.wildcards.combined.pem 2 
"HTTP error" 1 0
Aug 15 18:27:30 - haproxy[11234] -:- [15/Aug/2023:18:27:30.104] 
<OCSP-UPDATE> -/- 48/0/-1/-1/46 503 217 - - SC-- 0/0/0/0/3 0/0 
{2600:1405:7400:13::17de:1b94} "GET 
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgRA%2BzJf7gt%2BI21Isq6Sy8pDxg%3D%3D 
HTTP/1.1"



If I try the URL in the second log line with curl, I get the proper 
response.  The curl program is getting an ipv4 address.



I thought it might be doing this because the machine did have an ipv6 
local link address, so I completely disabled ipv6 with the grub 
commandline and rebooted.  Now there is no ipv6 address, but haproxy is 
still getting an ipv6 address for r3.o.lencr.org.



I couldn't locate any config for haproxy that would disable ipv6.  Is 
there a way to fix this problem?


HAProxy version 2.8.2 2023/08/09 - https://haproxy.org/

Status: long-term supported branch - will stop receiving fixes around Q2 
2028.

Known bugs: http://www.haproxy.org/bugs/bugs-2.8.2.html

Running on: Linux 4.18.0-477.21.1.el8_8.x86_64 #1 SMP Thu Aug 10 
13:51:50 EDT 2023 x86_64

Build options :
  TARGET  = linux-glibc
  CPU     = native
  CC      = cc

  CFLAGS  = -O2 -march=native -g -Wall -Wextra -Wundef 
-Wdeclaration-after-statement -Wfatal-errors -Wtype-limits 
-Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond 
-Wnull-dereference -fwrapv -Wno-address-of-packed-member 
-Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered 
-Wno-missing-field-initializers -Wno-cast-function-type 
-Wno-string-plus-int -Wno-atomic-alignment
  OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_QUIC=1 
USE_PCRE2_JIT=1

  DEBUG   =


Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY 
+CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE 
-LIBATOMIC +LIBCRYPT +LINUX_SPLICE +LINUX_TPROXY -LUA -MATH 
-MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL 
-OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL 
-PROCCTL -PROMEX -PTHREAD_EMULATION +QUIC +RT +SHM_OPEN -SLZ +SSL 
-STATIC_PCRE -STATIC_PCRE2 +SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY 
-WURFL +ZLIB


Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200


Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, 
default=4).

Built with OpenSSL version : OpenSSL 3.1.2+quic 1 Aug 2023
Running on OpenSSL version : OpenSSL 3.1.2+quic 1 Aug 2023
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11

Compression algorithms supported : identity("identity"), 
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT 
IPV6_TRANSPARENT IP_FREEBIND

Built with PCRE2 version : 10.32 2018-09-10
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 8.5.0 20210514 (Red Hat 8.5.0-18)

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
       quic : mode=HTTP  side=FE     mux=QUIC  flags=HTX|NO_UPG|FRAMED
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : none

Available filters :
        [BWLIM] bwlim-in
        [BWLIM] bwlim-out
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [SPOE] spoe
        [TRACE] trace
























					Reply via email to