I am setting up a reverse proxy that reads a collection of certificates from a directory like:
frontend https-in
bind *:443 ssl crt /etc/haproxy/ssl/
The directory contains single domain certificates as well as SAN certificates. This is all working well, and haproxy is reading all the certificates and serving the proper one through SNI.
I would like to obtain a list of domains available through SNI as HAProxy sees it, for the sake of auditing/sanity/change control. I would also be OK with a list of valid certificates - previously we used crt-list and manually managed that file. However, I am looking for a way to automatically monitor it and detect changes, rather than update the crt-list file every time.
Is this possible? Ideally, HAProxy could do this, either through the command line or the stats page ( rather than using a script+OpenSSL, etc). It seems like it already does it in order to determine all the SNI options, I just can’t find a way to get my hands on that data.
Thanks!
I’m not sure about this.
Haproxy does not care whether the certificate is valid or not, it does not store the date, etc.
You will want to know things likes:
- valid start and end date
- ca data like intermediate certificates and the validity of the entire chain
Knowing what certificate a certain SNI value would return could be useful, but only when troubleshooting a specific SNI issue. For everything else, I think external tools are the way to go. You can verify the full chain, extract data like start/end dates, etc.
I don’t see how cluttering haproxy itself with features like this is beneficial, considering the maintenance effort.
Thank you for the response! Using external tools for validating the dates, chains, etc of the certificates themselves makes sense.
I think I could have been more clear when I said ‘valid’ - by that I meant more that HAProxy successfully read and loaded the certificate - that I didn’t botch the permissions, etc, or something else unanticipated happened. We had some security using crt-list that if a certificate was in the list but somehow messed up, validating the HAProxy config would let us know.
I assume that when HAProxy loads, it reads through all the certificates and has an internal map of domains -> certificates. I was hoping there would be a way to see that from HAProxy’s perspective, but if there isn’t I can live without it.
In the internal mapping you’d only see what actually works. No indication of any failures.
Suppose a *.pem file is zero byte long or haproxy couldn’t read it because of a permission problem for example, the domain would simply be missing from the internal mapping. It’s not like there would be any errors.
So you’d have to compare the mapping output with your actual expected state and find missing mappings, to be able to conclude something went wrong.
And does that really help you in the end?
In my case it would - we have various data collectors that compare deltas to keep track of and notify for changes. Also it seems nice as a sanity check to look at periodically, now that we are programatically adding lots of letsencrypt certs into the mix