How to hot-update TLS certificates?

Help!
1

Hi, reading latest 2.1.0 release note from https://www.mail-archive.com/haproxy@formilux.org/msg35491.html and I notice this feature which sounds great:

- support of runtime certificate updates. It's now possible to change
existing certs without reloading. Creation is yet another challenge
and I understood that there are also some limitations to certain
situations where updates are still not possible (though an error
message will indicate it).

I did search in the configuration manual but found nothing on how to configure/enable to use this feature.

Can I be advised on how to enable/configure my haproxy to try out this feature?

Thank you!

2

The documentation missed 2.1.0 unfortunately but it will be in 2.1.1. However the feature is there, only the documentation is missing.

In the mean time, refer to the 2.2-dev documentation:

set ssl cert
abort ssl cert
commit ssl cert

3

Thank you @lukastribus.

So the following question is given I have below configuration

frontend myproxy
  bind :8443 ssl ssl-min-ver TLSv1.2 alpn http/1.1 crt /my_cert/cert.pem crt /your_cert/cert.pem
  use_backend mybackend

When I am about to use set ssl cert <filename> <payload> to update /my_cert/cert.pem, should I use full certificate path name like:

echo -e "set ssl cert /my_cert/cert.pem <<\n$(cat my_cert.pem)\n" | \
socat /var/run/haproxy.stat -

or simply just file name like:

echo -e "set ssl cert cert.pem <<\n$(cat my_cert.pem)\n" | \
socat /var/run/haproxy.stat -

Since my configuration in example loads 2 certificates from /my_cert/cert.pem and /your_cert/cert.pem, does above file name only command cause confusion to haproxy?

4

Just the filename. The full path to the certificates is needed in the cat command, so that the content of the certificate is actually installed.

5

I did an experiment and looks like in my example I should explicitly specify the full path of my certificate file in set ssl cert command. So the behavior of set ssl cert is: it is only valid to update the cert file name that configuration refers.

If I only use the file name instead of the full path name of the certificate file I used in my configuration, set ssl cert command complains:

$ echo -e "set ssl cert cert.pem <<\n$(cat bad.pem)\n" | socat /root/spoe/admin-1.sock -
Can't replace a certificate which is not referenced by the configuration!
Can't update cert.pem!

So maybe it is a little confusing what the filename from the doc means :cold_sweat:

1 Like