HAProxy community

Does the runtime api support adding new ssl certs?

Howdy - We’ve been anxiously awaiting the set ssl cert and commit ssl cert features under newer haproxy releases. During initial testing today we were getting an error:

self.runtime_api.command(f"set ssl cert {domain_name}.pem <<\n{pem}")
[(‘1’, [“Can’t replace a certificate which is not referenced by the configuration!”, “Can’t update example_com.pem!”])]

I feel pretty dumb if I mis-read the intent of the ssl cert features, but can we only update pre-existing certs and not add new ones without a full reload/restart?

I’m afraid you can only update existing certificates/bundles, yes. I don’t know the exact reason for this, but I’d assume the complexity of adding and removing certificates at run-time is just too high.

Thanks for the response @lukastribus. That’s unfortunate, and hopefully changes at some point. Regardless it’s pretty hard to complain given all the things haproxy can do. =)

This functionality has been added to the development version 2.2:



Wow - that’s wonderful news, and I greatly appreciate the followup. Thanks @lukastribus (and the rest of the team)!