Hi Moemen,
Post by Igor CicimovHi,
# haproxy -v
HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23
# ls -1 /etc/haproxy/ssl.d/*.ocsp
/etc/haproxy/ssl.d/star_domain2_com.crt.ocsp
/etc/haproxy/ssl.d/star_domain_com.crt.ocsp
/etc/haproxy/ssl.d/star_domain3_com.crt.ocsp
/etc/haproxy/ssl.d/star_domain4_com.crt.ocsp
I get OCSP response from haproxy only for one of the domains
$ echo | openssl s_client -connect domain[234].com:443 -tlsextdebug
-status -servername domain[234].com
Is this expected?
Any comments/ideas regarding this? Further noticed that OCSP code probably does not check the certificates SANs and matches only based on the CN in the subject since the calls to whatever.domain.tld get stapled but to domain.tld do not.
Hi Igor,
Testing OCSP on multiple certificates with different domains (based on the CN) works correctly for me. (a.domain.com, b.domain.com, c.domain.com)
Are you using multiple certs with same CN but different SANs ?
The certificates belong to completely separate domains, so not
subdomains of the same domain like in your case. They are also
wildcard certs so here is the layout:
# ls -1 /etc/haproxy/ssl.d/
star_domain1_com.crt
star_domain1_com.crt.ocsp
star_domain2_com.crt
star_domain2_com.crt.ocsp
star_domain3_com.crt
star_domain3_com.crt.ocsp
# for i in `ls -1 /etc/haproxy/ssl.d/*.crt`; do openssl x509 -noout
-subject -in $i; done
subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain2.com
subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain3.com
The SAN only contains the certificates domain and nothing else, for
example for domain3.com:
X509v3 Subject Alternative Name:
DNS:*.domain3.com, DNS:domain3.com
The haproxy bind line in the frontend looks like:
bind *:443 ssl crt /etc/haproxy/ssl.d/ ...
And here is the output of the daily cronjob that updates the OCSP for haproxy:
Date: Mon, 26 Nov 2018 05:00:01 +0000 (GMT)
/etc/haproxy/ssl.d/star_domain1_com.crt: good
This Update: Nov 25 17:39:11 2018 GMT
Next Update: Dec 2 16:54:11 2018 GMT
OCSP Response updated!
/etc/haproxy/ssl.d/star_domain2_com.crt: good
This Update: Nov 24 20:49:57 2018 GMT
Next Update: Dec 1 20:04:57 2018 GMT
OCSP Response updated!
/etc/haproxy/ssl.d/star_domain3_com.crt: good
This Update: Nov 25 14:09:00 2018 GMT
Next Update: Dec 2 13:24:00 2018 GMT
OCSP Response updated!
I can confirm this is working as intended on other serves I have with
1.7.11 and 1.8.14, so it must be something specific to this one that I
struggle to understand (to be even more confusing it is all being
setup by Ansible in same way as everywhere else).
Under what circumstances would a setup like this not work in terms of
OCSP? Example:
$ echo | openssl s_client -connect server:443 -tlsextdebug -status
-servername domain1.com | grep -E 'OCSP|domain1'
depth=0 C = AU, ST = New South Wales, L = Sydney, O = My Company, CN =
*.domain1.com
verify return:1
DONE
OCSP response: no response sent
0 s:/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
subject=/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
Thanks for your input by the way, very much appreciated.