Hi, I ran into an issue with haproxy 2.2.6, where I'm not sure if this is working as intended or not. I have a frontend, which has a ssl cert configured in a combined pam file, containing the private, public and intermediate certificate. The bind line looks like this:
bind 203.0.113.1 ssl crt /certs/host.example.org/combined.pem.rsa ... If I renew the certificate, it works as also shown in https://www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/ via echo "set ssl cert ${DIRNAME}/combined.pem.rsa" | socat ... Everything worked fine since quite a while ... until now the issuing intermediate certificate changed. I would expect that above mentioned "set ssl cert combined.pem.rsa" would also update the intermediate certificate - but the *previous* intermediate is still being used by haproxy. I noticed this actually only because the "set ssl ocsp-response" returned "Certificate ID does not match any certificate or issuer". It took me quite a while to spot that the intermediate was not updated. So the final question is, is this a bug or is the intermediate not supposed to be updated along with the combined.pem but differently? A reload or restart of haproxy will activate the new intermediate certificate of course. Thanks Björn
