Hi William, On 11.12.20 12:29, William Lallemand wrote: > If we want the "set ssl ocsp-response" command to work in this particular > case, > I think we need to change the key, but the problem is that the OCSP response > only contains an OCSP_CERTID for helping us finding where we should apply the > certificate, and the serialNumber alone is not enough to index the response.
thanks to your description I understand the technical background but I think it's a usability issue for people running haproxy. If people follow setting up hitless certificate updates as described at https://www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/ then it will not be clear how to set this up correct if you use ocsp stapling also. Finding the underlying problem is not quite easy. Most people who run haproxy with dynamic updates and ocsp stapling enabled, will probably run into the same problem. Now that the letsencrypt is about to issue certs with a different intermediate cert (and soon will change again the intermediate for ecdsa certs), this problem might pop up for more people. Björn
