Currently debugging ocsp stapling problems.
Version: 3.0.14-1
Certificate: SwissSign Preprod:
/etc/haproxy/certs/domain.pem, containing:
- leaf
- issuer 1
- issuer 2 (signing issuer 1)
- key
The root was added to the system truststore:
root@:/etc/haproxy/certs# ls -lart /etc/ssl/certs
….
lrwxrwxrwx 1 root root 61 Jan 9 14:18 gold_g2_stag.pem → /usr/local/share/ca-certificates/fca-preprod/gold_g2_stag.crt
lrwxrwxrwx 1 root root 16 Jan 9 14:18 4f316efb.1 → gold_g2_stag.pem
-rw-r–r-- 1 root root 202359 Jan 9 15:11 ca-certificates.crt
drwxr-xr-x 3 root root 16384 Jan 9 15:11 .
Server seems to be absolutely happy with that:
openssl s_client -connect <domain>:443
Connecting to 139.162.141.196
CONNECTED(00000003)
depth=3 C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
verify return:1
depth=2 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1 - DEMO
verify return:1
depth=1 C=CH, O=SwissSign AG, CN=SwissSign RSA TLS DV ICA 2022 - 1 - DEMO
verify return:1
depth=0 CN=<domain>
verify return:1
Certificate chain
0 s:CN=<domain>
i:C=CH, O=SwissSign AG, CN=SwissSign RSA TLS DV ICA 2022 - 1 - DEMO
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 9 13:53:43 2026 GMT; NotAfter: Jan 9 13:53:43 2027 GMT
1 s:C=CH, O=SwissSign AG, CN=SwissSign RSA TLS DV ICA 2022 - 1 - DEMO
i:C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1 - DEMO
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 30 09:46:44 2022 GMT; NotAfter: Aug 30 09:46:44 2036 GMT
2 s:C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1 - DEMO
i:C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Feb 20 13:56:51 2024 GMT; NotAfter: Aug 17 13:56:51 2036 GMT
The only issue is, that for the life of me I don’t get ocsp stapling to work.
OCSP is just fine:
openssl ocsp -issuer domain.issuer.pem -cert domain.pem -url ``http://ocsp.pre.swisssign.ch/sign/ocs-192cba97-3391-4237-8fad-b3973d0170ce
Response verify OK
domain.pem: good
This Update: Jan 9 15:14:48 2026 GMT
Next Update: Jan 12 15:14:48 2026 GMT
If I manually stick that into haproxy, ocsp stapling works just fine.
But the new auto updater keeps getting confused:
echo “show ssl ocsp-updates” | sudo socat stdio tcp4-connect:127.0.0.1:9999
OCSP Certid | Path | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str)
304d300906052b0e03021a05000414bfab4ae4faeeedf022930de87f77d7d726ebc2b504145af36a21f67bd7247c151ec51db01fbbadd0c33702144058807f44549579cee72723de52d16e797931c7 | @web/domain.pem | 09/Jan/2026:15:30:09 +0000 | - | 0 | 4 | 4 | OCSP response check failure
No amount of reordering items in the certificate pem, adding additional cacerts/issuer lines in the haproxy config, etc has fixed this so far. Any pointers?
Relevant bits of the haproxy config:
global
…
ocsp-update.mode on
ocsp-update.mindelay 300
ocsp-update.maxdelay 3600…
crt-store web
crt-base /etc/haproxy/certs/
load crt domain.pem ocsp-update on…
frontend fe_https
bind :443 ssl crt “@web/domain.pem” alpn h2,http/1.1
mode http