HAProxy community

TLS cert hot-update for client cert?


wrt How to hot-update TLS certificates? the TLS hot-update works well for server TLS certificates, and it is a great feature to meet our scenario.

But I found set ssl cert does not work with client cert like below configuration shows:

    log stdout local0
    stats socket /tmp/admin-1.sock level admin process 1 mode 0660 expose-fd listeners
    tune.ssl.default-dh-param 2048

    log global
    maxconn 3000
    mode http
    timeout connect 10s
    timeout client 30s
    timeout server 30s
    option httplog
    option http-use-htx
    option redispatch
    option logasap

frontend myproxy
    bind :58080
    default_backend mybackend

backend mybackend
    server localserver ssl verify required ca-file /tmp/pem/ca.crt crt /tmp/pem/tls.pem force-tlsv13

With command of

# echo -e "set ssl cert /tmp/pem/tls.pem <<\n$(cat /tmp/pem/tls.pem)\n" \
       | socat /tmp/admin-1.sock -
Can't replace a certificate which is not referenced by the configuration!
Can't update /tmp/pem/tls.pem

The questions are:

  1. whether hot-update to client certificate is supported or I missed some configuration?
  2. is there a way to hot-update the ca-file for both server (in bind directive) and client (in server directive).

Thank you very much!

I doubt you can hot-update anything other than the actual server certificate.

Thanks for the answer. @lukastribus

I will try to file a feature request to haproxy maybe. :slightly_frowning_face:

1 Like

I filed feature request at https://github.com/haproxy/haproxy/issues/427 :sweat_smile: