Re: Should we change the -c output?
I like the default message. If you want to suppress it, then you can use -q. Having some standard output that can be suppressed with -q is also fairly standard for UNIX commands. On Mon, Nov 13, 2023 at 4:07 AM William Lallemand wrote: > > On Mon, Nov 13, 2023 at 09:52:57AM +0100, Baptiste wrote: > > On Thu, Nov 9, 2023 at 5:00 PM William Lallemand > > wrote: > > > > > Hello, > > > > > > haproxy -c seems to be too verbose in the systemd logs by > > > showing "Configuration file is valid" for every reloads. > > > > > > Is there anyone against removing this message by default? > > > This will still output the alerts and warnings if some exists but the > > > "Configuration file is valid" message will only be displayed in > > > combination with -V. > > > > > > People tend to use the return code of the command and not the output, > > > but I prefer to ask. > > > > > > Change will only be applied starting from 2.9. Patch attached. > > > > > > -- > > > William Lallemand > > > > > > > Hi William, > > > > I used to use this message for 13 years while manually checking confs :) > > I think it may impact admins / devs who run these manual checks, but not > > too hard as we all look for "ERROR" or "WARNING" by default. > > I think it's "ok" to change this. I will just miss it :D > > > > Baptiste > > That's what I thought either, and I like it since it's a little bit more > like an UNIX command, which displays nothing when everything is correct. > > I pushed the patch, thanks! > > -- > William Lallemand >
Re: Can't display the certificate: Not found or the certificate is a bundle!
On Mon, Nov 13, 2023 at 10:46:08AM +0100, Christoph Kukulies wrote: > > Am 13.11.2023 um 10:09 schrieb William Lallemand : > >> > >> acme@mail:~$ echo "show ssl cert /etc/haproxy/certs/mydomain.org.pem" | > >> socat /var/run/haproxy/admin.sock - > >> Can't display the certificate: Not found or the certificate is a bundle! > >> > > acme@mail:~/.acme.sh/www.mydomain.org_ecc$ echo "show ssl cert " | socat > /var/run/haproxy/admin.sock - > # filename > /etc/haproxy/certs/fullchain.pem > /etc/haproxy/certs/fullchain_ec.pem > > > Well, you can't display /etc/haproxy/certs/mydomain.org.pem because it's not in haproxy. Can you share the output of your deploy acme.sh command as well as your haproxy configuration? -- William Lallemand
Re: Can't display the certificate: Not found or the certificate is a bundle!
On 11/13/23 02:09, William Lallemand wrote: "show ssl cert" shows the certificate in the haproxy memory, and not on the filesystem. Start by doing "show ssl cert" without any argument to see the list of certificates whcih were loaded by haproxy. That makes complete sense now! I saw an error on the other file because that file was not loaded by haproxy. I have never looked at the documentation for this so I do not know if that is complete enough ... but there is an opportunity for an improved error message here. Seems like haproxy would be able to detect that the requested file is not loaded into memory and inform the user. Thanks, Shawn
Re: Can't display the certificate: Not found or the certificate is a bundle!
> Am 13.11.2023 um 10:09 schrieb William Lallemand : > > On Sat, Nov 11, 2023 at 10:26:33AM +0100, Christoph Kukulies wrote: >> I'm using haproxy2.8 and I have configured the acme.sh challenge to fetch >> the certificate, following this wiki here: >> https://github.com/haproxy/wiki/wiki/Letsencrypt-integration-with-HAProxy-and-acme.sh >> >> Once I get to the point to test the certificate, I'm getting: >> >> acme@mail:~$ echo "show ssl cert /etc/haproxy/certs/mydomain.org.pem" | >> socat /var/run/haproxy/admin.sock - >> Can't display the certificate: Not found or the certificate is a bundle! >> >> >> The file is definitely there and the command works an a different file, when >> I apply it to the previously used certificate fullchain.pem. >> The file which is not working, has the following structure: > > "show ssl cert" shows the certificate in the haproxy memory, and not on > the filesystem. Start by doing "show ssl cert" without any argument to > see the list of certificates whcih were loaded by haproxy. > Thanks, William, acme@mail:~/.acme.sh/www.mydomain.org_ecc$ echo "show ssl cert " | socat /var/run/haproxy/admin.sock - # filename /etc/haproxy/certs/fullchain.pem /etc/haproxy/certs/fullchain_ec.pem > And, Shawn, you may be right that it is not the ECC type itself causing the "Can't display" message but some other quirk. The funny thing: at the moment I cannot reproduce the issue at all. And the fullchain_ec.pem has "-BEGIN EC PRIVATE KEY-" and the corresponding END EC line in it. Will keep an eye on it next time. -- Christoph smime.p7s Description: S/MIME cryptographic signature
Re: Can't display the certificate: Not found or the certificate is a bundle!
On Sat, Nov 11, 2023 at 10:26:33AM +0100, Christoph Kukulies wrote: > I'm using haproxy2.8 and I have configured the acme.sh challenge to fetch > the certificate, following this wiki here: > https://github.com/haproxy/wiki/wiki/Letsencrypt-integration-with-HAProxy-and-acme.sh > > Once I get to the point to test the certificate, I'm getting: > > acme@mail:~$ echo "show ssl cert /etc/haproxy/certs/mydomain.org.pem" | socat > /var/run/haproxy/admin.sock - > Can't display the certificate: Not found or the certificate is a bundle! > > > The file is definitely there and the command works an a different file, when > I apply it to the previously used certificate fullchain.pem. > The file which is not working, has the following structure: "show ssl cert" shows the certificate in the haproxy memory, and not on the filesystem. Start by doing "show ssl cert" without any argument to see the list of certificates whcih were loaded by haproxy. -- William Lallemand
Re: Should we change the -c output?
On Mon, Nov 13, 2023 at 09:52:57AM +0100, Baptiste wrote: > On Thu, Nov 9, 2023 at 5:00 PM William Lallemand > wrote: > > > Hello, > > > > haproxy -c seems to be too verbose in the systemd logs by > > showing "Configuration file is valid" for every reloads. > > > > Is there anyone against removing this message by default? > > This will still output the alerts and warnings if some exists but the > > "Configuration file is valid" message will only be displayed in > > combination with -V. > > > > People tend to use the return code of the command and not the output, > > but I prefer to ask. > > > > Change will only be applied starting from 2.9. Patch attached. > > > > -- > > William Lallemand > > > > Hi William, > > I used to use this message for 13 years while manually checking confs :) > I think it may impact admins / devs who run these manual checks, but not > too hard as we all look for "ERROR" or "WARNING" by default. > I think it's "ok" to change this. I will just miss it :D > > Baptiste That's what I thought either, and I like it since it's a little bit more like an UNIX command, which displays nothing when everything is correct. I pushed the patch, thanks! -- William Lallemand
Re: Should we change the -c output?
On Thu, Nov 9, 2023 at 5:00 PM William Lallemand wrote: > Hello, > > haproxy -c seems to be too verbose in the systemd logs by > showing "Configuration file is valid" for every reloads. > > Is there anyone against removing this message by default? > This will still output the alerts and warnings if some exists but the > "Configuration file is valid" message will only be displayed in > combination with -V. > > People tend to use the return code of the command and not the output, > but I prefer to ask. > > Change will only be applied starting from 2.9. Patch attached. > > -- > William Lallemand > Hi William, I used to use this message for 13 years while manually checking confs :) I think it may impact admins / devs who run these manual checks, but not too hard as we all look for "ERROR" or "WARNING" by default. I think it's "ok" to change this. I will just miss it :D Baptiste