Does the runtime api support adding new ssl certs?

eyepulp · March 9, 2020, 9:31pm

Howdy - We’ve been anxiously awaiting the set ssl cert and commit ssl cert features under newer haproxy releases. During initial testing today we were getting an error:

self.runtime_api.command(f"set ssl cert {domain_name}.pem <<\n{pem}")
[(‘1’, [“Can’t replace a certificate which is not referenced by the configuration!”, “Can’t update example_com.pem!”])]

I feel pretty dumb if I mis-read the intent of the ssl cert features, but can we only update pre-existing certs and not add new ones without a full reload/restart?

lukastribus · March 10, 2020, 9:01pm

I’m afraid you can only update existing certificates/bundles, yes. I don’t know the exact reason for this, but I’d assume the complexity of adding and removing certificates at run-time is just too high.

eyepulp · March 10, 2020, 10:10pm

Thanks for the response @lukastribus. That’s unfortunate, and hopefully changes at some point. Regardless it’s pretty hard to complain given all the things haproxy can do. =)

lukastribus · April 7, 2020, 9:17am

This functionality has been added to the development version 2.2:

https://www.mail-archive.com/haproxy@formilux.org/msg36927.html

http://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=accac23afff43fb04d2c33b5725ba9ade6f3b319

eyepulp · April 7, 2020, 1:33pm

Wow - that’s wonderful news, and I greatly appreciate the followup. Thanks @lukastribus (and the rest of the team)!

Topic		Replies	Views
How to hot-update TLS certificates? Help!	4	3999	December 4, 2019
Hot update client certs Help!	5	596	June 3, 2020
Hot-update client CA certificates via Runtime API Help!	2	388	August 6, 2020
Unable to add the server to the haproxy using runtime api Help!	0	399	August 17, 2023
Use set ssl cert with cert directory Configuration Samples	4	4090	May 12, 2023

Does the runtime api support adding new ssl certs?

Related Topics