On Thu, Dec 10, 2020 at 03:24:39PM +0100, Björn Jacke wrote: > Hi William, > > On 09.12.20 09:27, William Lallemand wrote: > > $ echo -e -n "@1 set ssl cert server1.fullchain.pem <<\n$(cat > > server2.fullchain.pem)\n\n" | socat - /tmp/master.socket > > $ echo -e "@1 set ssl cert server1.fullchain.pem.ocsp <<\n$(base64 -w > > 10000 server2.fullchain.ocsp)\n" | socat - /tmp/master.socket > > $ echo "@1 commit ssl cert server1.fullchain.pem" | socat - > > /tmp/master.socket > > > > It should activate the OCSP with the new SSL context. > > thanks, yes, using "set ssl cert fullchain.pem.ocsp" instead of "set ssl > ocsp-response ..." makes it succeed. > > As far as I can see the "set ssl cert fullchain.pem.ocsp" method is > *generally* suitable to update ocsp responses and can be used as a drop > in replacement for the "set ssl ocsp-response" method, which is not > working correctly in the case, where the intermediate cert changed? >
The "set ssl cert" method generates the new SSL context the same way it is done with a reload. So it's a little bit heavier than just updating the OCSP response. If you commit the certificate without the .ocsp, it's like you reloaded haproxy with the previous .ocsp file. -- William Lallemand
