I’m trying to get OCSP stapling working with HAProxy and certificates from letsencrypt.org but running into a problem.
I’ve got HAProxy setup with SSL termination for a number of domains (on a single IP) and it all works fine, except for the OCSP stapling part.
The bind line in my haproxy.cfg frontend is:
bind 208.101.xx.xx:443 ssl crt /etc/haproxy/certs/
I have a script to get the OCSP response which is something like this:
openssl ocsp -no_nonce -respout /etc/haproxy/certs/mydomain.com.pem.ocsp -issuer /etc/letsencrypt/live/mydomain.com/chain.pem -verify_other /etc/letsencrypt/live/mydomain.com/chain.pem -cert /etc/letsencrypt/live/mydomain.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org/ -header “HOST” “ocsp.int-x3.letsencrypt.org”
This seems to be fine, it responds as,
Response verify OK
This Update: Oct 18 01:00:00 2016 GMT
Next Update: Oct 25 01:00:00 2016 GMT
So the .ocsp file is in my HAProxy cert directory. I also copy over the issuer file from the let’s encrypt certificates:
cp /etc/letsencrypt/live/mydomain.com/chain.pem /etc/haproxy/certs/mydomain.com.pem.issuer
Now I have both the .issuer and .ocsp files in my HAProxy cert directory. (The .ocsp file is in a binary format)
-rw------- 1 user user 5221 Oct 17 20:41 mydomain.com.pem
-rw------- 1 user user 1647 Oct 17 19:45 mydomain.com.pem.issuer
-rw------- 1 user user 527 Oct 19 09:44 mydomain.com.pem.ocsp
I notify HAProxy about it:
echo “set ssl ocsp-response $(/usr/bin/base64 -w 10000 /etc/haproxy/certs/mydomain.com.pem.ocsp)” | /usr/bin/socat stdio /var/run/haproxy.admin
It seems to work, I get the reply:
OCSP Response updated!
Now it should be stapling the OCSP response ?
I try testing it using:
OCSP response: no response sent
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
depth=0 CN = mydomain.com
Oops… not sure what is going on here, or if it’s something peculiar to the way Let’s Encrypt certs are setup.
I was using HAProxy 1.6.3 but moved to 1.7 dev4 to try again, without any more success. (CentOS 7, OpenSSL 1:1.0.1e-51.el7_2.7)
Thanks for any pointers…