Hi,
On 2023-07-14 01:56, Shawn Heisey wrote:
On 7/13/23 09:01, Sander Klein wrote:
I tried upgrading from 2.6.14 to 2.8.1, but after the upgrade I
couldn't connect to any of the sites behind it.
While looking at the error it seems like OCSP is not working anymore.
Right now I have a setup in which I provision the certificates with
the corresponding ocsp file next to it. If this not supported anymore?
Does your certificate have "must-staple" configured? That is the only
way I can imagine an OCSP problem would keep websites from working. I
do ocsp stapling with haproxy, but I don't use "must-staple". I do
not believe that ocsp stapling is supported widely enough yet to
declare that it MUST happen.
Yes I do have must-staple enabled, but I also update regularly and
restart HAProxy. The thing is, with HAProxy 2.8.1 it doesn't work at all
anymore. Not even with fresh ocsp files and a fresh restart.
I uploaded a script to github. This is the script I used before
haproxy gained the ability to do its own OCSP updates. The script
updates the .ocsp file(s) and informs haproxy about the new
response(s) so haproxy does not need to be restarted.:
https://github.com/elyograg/haproxy-ocsp-elyograg
The script relies on mktemp, openssl, socat, and base64.
I can have a look at this, but I think I have about the same setup right
now.
Sander
