HAProxy community

Does the runtime api support adding new ssl certs?

Howdy - We’ve been anxiously awaiting the set ssl cert and commit ssl cert features under newer haproxy releases. During initial testing today we were getting an error:

self.runtime_api.command(f"set ssl cert {domain_name}.pem <<\n{pem}")
[(‘1’, [“Can’t replace a certificate which is not referenced by the configuration!”, “Can’t update example_com.pem!”])]

I feel pretty dumb if I mis-read the intent of the ssl cert features, but can we only update pre-existing certs and not add new ones without a full reload/restart?

I’m afraid you can only update existing certificates/bundles, yes. I don’t know the exact reason for this, but I’d assume the complexity of adding and removing certificates at run-time is just too high.

Thanks for the response @lukastribus. That’s unfortunate, and hopefully changes at some point. Regardless it’s pretty hard to complain given all the things haproxy can do. =)

This functionality has been added to the development version 2.2:

https://www.mail-archive.com/haproxy@formilux.org/msg36927.html

http://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=accac23afff43fb04d2c33b5725ba9ade6f3b319

Wow - that’s wonderful news, and I greatly appreciate the followup. Thanks @lukastribus (and the rest of the team)!