Versions Compared

Old Version 12

changes.mady.by.user jtel Support

Saved on

compared with

New Version Current

changes.mady.by.user jtel Support

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Content imported from a Scroll Translations translation file.
Sv translation
languageen

Recently, more use has been made of so-called OCSP stapling instead of CRL (Certificate Revocation Lists).

See also: https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

If OCSP stapling should be activated in haproxy, the following procedure is used.

See also this website: https://icicimov.github.io/blog/server/HAProxy-OCSP-stapling/ for a very good manual and explanation on which our manual here is based.

check haproxy.cfg

Check that the stats socket is activated. If a different socket is specified, the script must be adjusted below (two lines before exit 0 - in the socat command).

Translations Ignore


Code Block
titlehaproxy.cfg
global
        stats socket  /var/lib/haproxy/stats
        stats timeout 30s



install socat 

Translations Ignore


Code Block
titleInstall socat
yum -y install socat



Create script for OCSP stapling and make it executable

Translations Ignore


Code Block
titleScript for OCSP stapling
cat <<'EOFF' > /usr/local/bin/haproxy_ocsp_update.sh
#!/bin/bash

# Certificates path and names
DIR="/etc/haproxy"
CERT="haproxy.pem"

# Get the issuer URI, download it's certificate and convert into PEM format
ISSUER_URI=$(openssl x509 -in ${DIR}/${CERT} -text -noout | grep 'CA Issuers' | cut -d: -f2,3)
ISSUER_NAME=$(echo ${ISSUER_URI##*/} | while read -r fname; do echo ${fname%.*}; done)
wget -q -O- $ISSUER_URI | openssl x509 -inform DER -outform PEM -out ${DIR}/${ISSUER_NAME}.pem

# Get the OCSP URL from the certificate
ocsp_url=$(openssl x509 -noout -ocsp_uri -in ${DIR}/${CERT})

# Extract the hostname from the OCSP URL
ocsp_host=$(echo $ocsp_url | cut -d/ -f3)

# Create/update the ocsp response file and update HAProxy
openssl ocsp -noverify -no_nonce -issuer ${DIR}/${ISSUER_NAME}.pem -cert ${DIR}/${CERT} -url $ocsp_url -header "Host=$ocsp_host" -respout ${DIR}/${CERT}.ocsp
[[ $? -eq 0 ]] && [[ $(pidof haproxy) ]] && [[ -s ${DIR}/${CERT}.ocsp ]] && echo "set ssl ocsp-response $(/usr/bin/base64 -w 10000 ${DIR}/${CERT}.ocsp)" | socat stdio unix-connect:/var/lib/haproxy/stats

exit 0
EOFF

chmod +x /usr/local/bin/haproxy_ocsp_update.sh



Test the script

Run the script with: /usr/local/bin/haproxy_ocsp_update.sh

Example return:


Translations Ignore


Code Block
/etc/haproxy/haproxy.pem: good
This Update: Mar 25 15:33:54 2019 GMT
Next Update: Mar 28 15:33:54 2019 GMT



Warning

Note: if you get a warning like this:

Translations Ignore
OCSP single response: Certificate ID does not match any certificate or issuer.

Then you should be able to fix this by reloading haproxy and running the script again:

Translations Ignore
systemctl reload haproxy
/usr/local/bin/haproxy_ocsp_update.sh


Activate CRON job for script

This will execute the script every day.

Translations Ignore


Code Block
titlehaproxy.cfg
cat <<EOFF >> /etc/crontab
0  0  *  *  * root /usr/local/bin/haproxy_ocsp_update.sh
EOFF





Sv translation
languagede

Status
colourRed
titleTHIS PAGE IS ONLY AVAILABLE IN ENGLISH

Sv translation
languagefr

Récemment, on a davantage utilisé ce que l'on appelle l'agrafage OCSP au lieu des CRL (Certificate Revocation Lists).

Voir aussi: https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

Si l'agrafage OCSP doit être activé en haproxy, la procédure suivante est utilisée.

Voir aussi ce site web : https://icicimov.github.io/blog/server/HAProxy-OCSP-stapling/ for a very good manual and explanation on which our manual here is based.

consultez haproxy.cfg

Vérifiez que la prise de statistiques est activée. Si une socket différente est spécifiée, le script doit être ajusté ci-dessous (deux lignes avant la sortie 0 - dans la commande socat).

Translations Ignore


Code Block
titlehaproxy.cfg
global stats socket /var/lib/haproxy/stats stats timeout 30s



installer socat 

Translations Ignore


Code Block
titleInstaller socat
yum -y install socat



Créer un script pour l'agrafage OCSP et le rendre exécutable

Translations Ignore


Code Block
titleScript pour l'agrafage OCSP
cat <<'EOFF' > /usr/local/bin/haproxy_ocsp_update.sh #!/bin/bash # Certificates path and names DIR="/etc/haproxy" CERT="haproxy.pem" # Get the issuer URI, download it's certificate and convert into PEM format ISSUER_URI=$(openssl x509 -in ${DIR}/${CERT} -text -noout | grep 'CA Issuers' | cut -d: -f2,3) ISSUER_NAME=$(echo ${ISSUER_URI##*/} | while read -r fname; do echo ${fname%.*}; done) wget -q -O- $ISSUER_URI | openssl x509 -inform DER -outform PEM -out ${DIR}/${ISSUER_NAME}.pem # Get the OCSP URL from the certificate ocsp_url=$(openssl x509 -noout -ocsp_uri -in ${DIR}/${CERT}) # Extract the hostname from the OCSP URL ocsp_host=$(echo $ocsp_url | cut -d/ -f3) # Create/update the ocsp response file and update HAProxy openssl ocsp -noverify -no_nonce -issuer ${DIR}/${ISSUER_NAME}.pem -cert ${DIR}/${CERT} -url $ocsp_url -header "Host=$ocsp_host" -respout ${DIR}/${CERT}.ocsp [[ $? -eq 0 ]] && [[ $(pidof haproxy) ]] && [[ -s ${DIR}/${CERT}.ocsp ]] && echo "set ssl ocsp-response $(/usr/bin/base64 -w 10000 ${DIR}/${CERT}.ocsp)" | socat stdio unix-connect:/var/lib/haproxy/stats exit 0 EOFF chmod +x /usr/local/bin/haproxy_ocsp_update.sh



Tester le script

Exécutez le script avec: /usr/local/bin/haproxy_ocsp_update.sh

Exemple de retour :


Translations Ignore


Code Block
/etc/haproxy/haproxy.pem: good This Update: 25 Mar 15:33:54 2019 GMT Prochaine mise à jour : 28 Mar 15:33:54 2019 GMT



Warning

Note : si vous recevez un avertissement comme celui-ci :

Translations Ignore
OCSP single response: Certificate ID does not match any certificate or issuer.

Then you should be able to fix this by reloading haproxy and running the script again:

Translations Ignore
systemctl reload haproxy
/usr/local/bin/haproxy_ocsp_update.sh


Activer le job CRON pour le script

Cela permettra d'exécuter le scénario tous les jours.

Translations Ignore


Code Block
titlehaproxy.cfg
cat <<EOFF >> /etc/crontab 0 0 * * * root /usr/local/bin/haproxy_ocsp_update.sh EOFF