Confirmed users
529
edits
Talk:Security/Server Side TLS: Difference between revisions
→OCSP in HAProxy
No edit summary |
|||
| Line 181: | Line 181: | ||
Don't forget to put this script in a cron and reload HAProxy afterward. | Don't forget to put this script in a cron and reload HAProxy afterward. | ||
=== reply from ulfr, 20150415 === | |||
My issue with this script is that not all certificates will have the CA Issuers URL present, which will make the script fail. | |||
<pre> | |||
Authority Information Access: | |||
OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca | |||
CA Issuers - URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt | |||
</pre> | |||
For the sake of not confusing copy/paste users, I think we should stick to the OCSP retrieval command, and explain what information the operator should be providing to the command. Something like this: | |||
<pre> | |||
#!/usr/bin/env bash | |||
CA_CERT="/etc/haproxy/myca.pem" | |||
SRV_CERT="/etc/haproxy/mycert.pem" | |||
OCSP_URL="http://ocsp.startssl.com/sub/class1/server/ca" | |||
openssl ocsp -noverify -issuer $CA_CERT -cert $SRV_CERT -url $OCSP_URL -header Host $(echo $OCSP_URL | cut -d '/' -f 3) -out /dev/null -respout $SRV_CERT.ocsp | |||
service haproxy reload 2>&1 1>/dev/null | |||
</pre> | |||