On Tue, Dec 08, 2020 at 11:48:41AM +0100, William Lallemand wrote:
> On Sat, Dec 05, 2020 at 02:57:03AM +0100, Björn Jacke wrote:
> > Hi,
> >
> > I ran into an issue with haproxy 2.2.6, where I'm not sure if this is
> > working as intended or not. I have a frontend, which has a ssl cert
> > configured in a combined pam file, containing the private, public and
> > intermediate certificate. The bind line looks like this:
> >
> > bind 203.0.113.1 ssl crt /certs/host.example.org/combined.pem.rsa ...
> >
> > If I renew the certificate, it works as also shown in
> >
> > https://www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/
> >
> > via
> >
> > echo "set ssl cert ${DIRNAME}/combined.pem.rsa" | socat ...
> >
> > Everything worked fine since quite a while ...
> >
> > until now the issuing intermediate certificate changed. I would expect
> > that above mentioned "set ssl cert combined.pem.rsa" would also update
> > the intermediate certificate - but the *previous* intermediate is still
> > being used by haproxy. I noticed this actually only because the "set ssl
> > ocsp-response" returned "Certificate ID does not match any certificate
> > or issuer". It took me quite a while to spot that the intermediate was
> > not updated.
> >
> > So the final question is, is this a bug or is the intermediate not
> > supposed to be updated along with the combined.pem but differently? A
> > reload or restart of haproxy will activate the new intermediate
> > certificate of course.
> >
>
> Looks like a bug to me, the intermediate certificate is indeed supposed
> to be updated, I'll look into this.
>
I made some tests and I can't reproduce the issue, could you check with
the CLI that the intermediate changed with "show ssl cert"
This is the test I made:
1 Root CA, 2 Intermediates, 2 server certificates made with each intermediates.
cat server1.key server1.crt intermediateCA1.crt > server1.fullchain.pem
cat server1.key server1.crt intermediateCA1.crt > server2.fullchain.pem
$ echo "@1 show ssl cert server1.fullchain.pem" | socat -
/tmp/master.socket
Filename: server1.fullchain.pem
Status: Used
Serial: 19018ED789D84428F15631EED7777D946E254D3F
notBefore: Dec 8 13:30:47 2020 GMT
notAfter: Sep 4 13:30:47 2023 GMT
Subject Alternative Name:
Algorithm: RSA2048
SHA1 FingerPrint: 74BB48E0F47B89AEE68A8173774B446775CDA0A3
Subject: /C=AU/ST=Some-State/O=Foobar Server1/CN=server1.foobar.local
Issuer: /C=AU/ST=Some-State/O=Foobar Int/CN=int1.foobar.local
Chain Subject: /C=AU/ST=Some-State/O=Foobar Int/CN=int1.foobar.local
Chain Issuer: /C=AU/ST=Some-State/O=Foobar ROOT/CN=root.foobar.local
I then updated the certificate this way:
$ echo -e -n "@1 set ssl cert server1.fullchain.pem <<\n$(cat
server2.fullchain.pem)\n\n" | socat - /tmp/master.socket
Transaction created for certificate server1.fullchain.pem!
$ echo "@1 commit ssl cert server1.fullchain.pem" | socat -
/tmp/master.socket
Committing server1.fullchain.pem.
Success!
And checked that the certificate is correctly updated:
$ echo "@1 show ssl cert server1.fullchain.pem" | socat -
/tmp/master.socket
Filename: server1.fullchain.pem
Status: Used
Serial: 0808AAE72CD605D64FE5FEACA9FC8B3BA33F69E2
notBefore: Dec 8 13:33:26 2020 GMT
notAfter: Sep 4 13:33:26 2023 GMT
Subject Alternative Name:
Algorithm: RSA2048
SHA1 FingerPrint: E60B288CE48BDAEE9A234DCE16DF0A05E4C4E1BE
Subject: /C=AU/ST=Some-State/O=Foobar Server2/CN=server2.foobar.local
Issuer: /C=AU/ST=Some-State/O=Foobar Int2/CN=int2.foobar.local
Chain Subject: /C=AU/ST=Some-State/O=Foobar Int2/CN=int2.foobar.local
Chain Issuer: /C=AU/ST=Some-State/O=Foobar ROOT/CN=root.foobar.local
You can see at the end of the output that the certificate and the chain was
updated.
You can also check the chain returned by haproxy with `openssl s_client
-showcerts -connect localhost:8443 -servername server2.foobar.local`
Regards,
--
William Lallemand
