On Tue, Dec 08, 2020 at 06:42:13PM +0100, Björn Jacke wrote:
> Hi William,
>
> On 08.12.20 15:13, William Lallemand wrote:> I then updated the
> certificate this way:
> >
> > $ echo -e -n "@1 set ssl cert server1.fullchain.pem <<\n$(cat
> > server2.fullchain.pem)\n\n" | socat - /tmp/master.socket
> > Transaction created for certificate server1.fullchain.pem!
> >
> > $ echo "@1 commit ssl cert server1.fullchain.pem" | socat -
> > /tmp/master.socket
> > Committing server1.fullchain.pem.
> > Success!
> >
> > And checked that the certificate is correctly updated:
>
> true, what fail though is the dynamic ocsp-response update after that,
> sorry for the unprecise problem description before. This happens after a
> dynamic cert update that *includes* an intermediate cert update if you
> then also try make a dynamic ocsp-response update:
>
> # echo "set ssl ocsp-response $(base64 -w 10000 ${DIRNAME}/ocsp.der)" |
> socat ...
>
> OCSP single response: Certificate ID does not match any certificate or
> issuer.
>
Hello,
Okay thanks for confirming.
Could you try this method?
$ echo -e -n "@1 set ssl cert server1.fullchain.pem <<\n$(cat
server2.fullchain.pem)\n\n" | socat - /tmp/master.socket
$ echo -e "@1 set ssl cert server1.fullchain.pem.ocsp <<\n$(base64 -w
10000 server2.fullchain.ocsp)\n" | socat - /tmp/master.socket
$ echo "@1 commit ssl cert server1.fullchain.pem" | socat -
/tmp/master.socket
It should activate the OCSP with the new SSL context.
--
William Lallemand
