HAProxy community

SSL certificate management


#1

I want to use haproxy as SSL termination for a content management system, but it’d need to be dynamic since users can add new domains and upload their site’s certs by themselves through their site management. I could do a script in python or bash that would do that, copy the certs to the haproxy host and trigger a seamless reload, but I was wondering if something already exists. Thanks.


#2

I can’t directly answer your question, but the following article (from the HAProxy enterprise site) might help. (The patch seems to be available in HAProxy open source v1.8.)


#3

Seamless reloads are supported in haproxy starting with the 1.8 release, not need to patching anything.

Installing new certificates currently does require reloading haproxy and there is no workaround for that at this time.

I know there is some interest in adding/removing certificates from the admin socket, not requiring an actual reload (iirc this was discussed once on the mailing list). I’m not sure if someone is working on this or not though. I will have to go through the archives.


#4

As long as I can do a seamless reload, it’s fine. I was also wondering for the copy of the certificate itself in the cert directory, if there was a way to do that remotely with some admin command to avoid to have to implement my own solution. I’m gonna search into the mailing list, thanks!