On Fri, Dec 11, 2020 at 02:53:13PM +0100, Björn Jacke wrote: > Hi William, > > On 11.12.20 12:29, William Lallemand wrote: > > If we want the "set ssl ocsp-response" command to work in this particular > > case, > > I think we need to change the key, but the problem is that the OCSP response > > only contains an OCSP_CERTID for helping us finding where we should apply > > the > > certificate, and the serialNumber alone is not enough to index the response. > > thanks to your description I understand the technical background but I > think it's a usability issue for people running haproxy. If people > follow setting up hitless certificate updates as described at > https://www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/ > then it will not be clear how to set this up correct if you use ocsp > stapling also. Finding the underlying problem is not quite easy. Most > people who run haproxy with dynamic updates and ocsp stapling enabled, > will probably run into the same problem. Now that the letsencrypt is > about to issue certs with a different intermediate cert (and soon will > change again the intermediate for ecdsa certs), this problem might pop > up for more people. >
In my opinion the problem is that there is no warning during the "set ssl cert" and that it allowed you to commit silently. In this particular case we should have a warning which states that the ocsp response must be updated before the commit. -- William Lallemand
