Ocsp-update haproxy 8.2

Hi everybody,
I noticed a new interesting functionality ocsp-update in haproxy 2.8 and wanted to test it.
According to doc1 and doc2 I moved my crt into the crt-list, but i am getting an error with those settings in place.

‘bind *:443’ in section ‘frontend’ : ‘crt-list’ : Incompatibilities found in OCSP update mode for certificate my.pem

Can someone explain what those found incompatibilities mean exactly

/* Check if the ckch_store and the entry does have the same configuration */
int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err)
{
int err_code = ERR_NONE;

    if (store->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
            if ((!entry->ssl_conf && store->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
                || (entry->ssl_conf && store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
                    memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
                    err_code |= ERR_ALERT | ERR_FATAL;
            }
    }
    return err_code;

}

Can you paste your frontend configuration?

frontend my_front from my-defaults
bind *:443 ssl alpn h2,http/1.1 crt-list crt_test.list
mode http
default_backend my_servers

cat  crt_test.list
my.pem [ocsp-update on] 

	if (store->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
		if ((!entry->ssl_conf && store->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
		    || (entry->ssl_conf && store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
			memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
			err_code |= ERR_ALERT | ERR_FATAL;
		}
	}
	return err_code;
}

store->data->ocsp_update_mode is saying there’s a structure of store->date within the ocsp_update_mode and first it checks to see if that value does not equal SSL_SOCK_OCSP_UPDATE_DFLT OR if there is no entry in ssl_conf

ssl_conf is an openssl library

Next it checks if (no entry in ssl_config AND the ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)

OR

ssl_conf does have config && ocps_update_mode does not equal the ocsp_update entry from within ssl_conf then error.

Just to give you an idea of what’s going on take a look at this file where it’s setting two different objects with different structures within the same variable. See that both check for the existence of ssl_conf first and then set ckchs->data and store->date (ckchs, store).

ssl_crtlist.c -- This is setting the ocsp_update_mode based on the 
if (entry->ssl_conf)
	ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;

if (entry->ssl_conf)
	store->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;

ssl_sock-t.h sets the variables - This is actually setting the mode - so it’s either default, off or on.

/* bind ocsp update mode */
enum {
	SSL_SOCK_OCSP_UPDATE_DFLT     = 0,
	SSL_SOCK_OCSP_UPDATE_OFF      = 1,
	SSL_SOCK_OCSP_UPDATE_ON       = 2,
};

So basically it’s saying the update mode isn’t default or there’s no entry in ssl_conf, so now if no entry in ssl_conf and ocsp_udapte_mode equals OCSP_UPDATE_ON (2) OR if there is an entry in ssl_conf and the ocsp_update_mode does not equal ocsp_update from ssl_conf then throw the error. In short I suspect that it’s failing to load that cert but that’s just a guess. Is your pem file password protected and does it contain a trusted URI?

If you haven’t already it might be worth running through this and checking for a valid response first and make sure the files all load just fine.

This cert is normally used with OCSP update done via script, so it is loading just fine I just wanted to check if this can be done now without the script and by hap inself. There is no password on the pem, what do you mean by trusted URI?

You MIGHT be able to do the update without a script. By trusted URI I was referring to this section and the fact that if an OCSP uri is found then the cert issuer needs to be trusted. I rushed my comment and left out some details there sorry.

ocsp-update [ off | on ] (crt-list only)

Enable automatic OCSP response update when set to ‘on’, disable it otherwise. Its value defaults to ‘off’. Please note that for now, this option can only be used in a crt-list line, it cannot be used directly on a bind line. It lies in this “Bind options” section because it is still a frontend option. This limitation was set so that the option applies to only one certificate at a time. If a given certificate is used in multiple crt-lists with different values of the ‘ocsp-update’ set, an error will be raised. Here is an example configuration enabling it:

 haproxy.cfg: 
frontend fe 
bind :443 ssl crt-list haproxy.list 

haproxy.list: 
server_cert.pem [ocsp-update on] foo.bar 

When the option is set to ‘on’, we will try to get an ocsp response whenever an ocsp uri is found in the frontend’s certificate. The only limitation of this mode is that the certificate’s issuer will have to be known in order for the OCSP certid to be built.

For example lets use Lets encrypt certificate. What and where I need to add to make certificate’s issuer known to the process, so OCSP certid will be build.

It should pick it up based on the configuration you have shown me so far. Are you by chance using that same certificate in more than one location or referencing it elsewhere in the configuration? That could explain the error you are getting.

“If a given certificate is used in multiple crt-lists with different values of
the ‘ocsp-update’ set, an error will be raised.”

You can also try running these commands to get a status and see if there are any errors.
There are also new Runtime API commands: update ssl ocsp-response for requesting an updated OCSP response immediately and show ssl ocsp-updates for viewing the expected time of the next update and the status of the last update.

Hey, it took a while and I’ve updated to haproxy 2.8.4 and current openssl and problem resolved itself. I don’t have startup error anymore and I am able to run both command update ssl ocsp-response and show ssl ocsp-updates via API. I can see that now I have ‘HTTP error’ on ocsp update attempts.

This particular server instance does not have direct internet http connection capabilities and all traffic goes via proxy.local server. Is there a way to tell haproxy to make this update ssl ocsp-response request to go via proxy server?