HAProxy community

How to hot-update TLS certificates?

Hi, reading latest 2.1.0 release note from https://www.mail-archive.com/haproxy@formilux.org/msg35491.html and I notice this feature which sounds great:

- support of runtime certificate updates. It's now possible to change
existing certs without reloading. Creation is yet another challenge
and I understood that there are also some limitations to certain
situations where updates are still not possible (though an error
message will indicate it).

I did search in the configuration manual but found nothing on how to configure/enable to use this feature.

Can I be advised on how to enable/configure my haproxy to try out this feature?

Thank you!

The documentation missed 2.1.0 unfortunately but it will be in 2.1.1. However the feature is there, only the documentation is missing.

In the mean time, refer to the 2.2-dev documentation:

set ssl cert
abort ssl cert
commit ssl cert

Thank you @lukastribus.

So the following question is given I have below configuration

frontend myproxy
  bind :8443 ssl ssl-min-ver TLSv1.2 alpn http/1.1 crt /my_cert/cert.pem crt /your_cert/cert.pem
  use_backend mybackend

When I am about to use set ssl cert <filename> <payload> to update /my_cert/cert.pem, should I use full certificate path name like:

echo -e "set ssl cert /my_cert/cert.pem <<\n$(cat my_cert.pem)\n" | \
socat /var/run/haproxy.stat -

or simply just file name like:

echo -e "set ssl cert cert.pem <<\n$(cat my_cert.pem)\n" | \
socat /var/run/haproxy.stat -

Since my configuration in example loads 2 certificates from /my_cert/cert.pem and /your_cert/cert.pem, does above file name only command cause confusion to haproxy?

Just the filename. The full path to the certificates is needed in the cat command, so that the content of the certificate is actually installed.

I did an experiment and looks like in my example I should explicitly specify the full path of my certificate file in set ssl cert command. So the behavior of set ssl cert is: it is only valid to update the cert file name that configuration refers.

If I only use the file name instead of the full path name of the certificate file I used in my configuration, set ssl cert command complains:

$ echo -e "set ssl cert cert.pem <<\n$(cat bad.pem)\n" | socat /root/spoe/admin-1.sock -
Can't replace a certificate which is not referenced by the configuration!
Can't update cert.pem!

So maybe it is a little confusing what the filename from the doc means :cold_sweat:

1 Like