mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 06:11:32 +02:00
Code Issues Projects Releases Wiki Activity

DOC: ssl: Add documentation about CRL file hot update commands

Browse Source 
Add description for new "abort/commit/del/new/set/show ssl crl-file" CLI
commands.
This commit is contained in:
Remi Tricot-Le Breton 2021-04-27 16:28:25 +02:00 committed by William Lallemand
parent a3b2e099c2
commit 3c222bd99c
1 changed files with 98 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
doc/management.txt
View File

@ -1402,6 +1402,11 @@ abort ssl cert <filename>
See also "set ssl cert" and "commit ssl cert". See also "set ssl cert" and "commit ssl cert".
abort ssl crl-file <crlfile>
Abort and destroy a temporary CRL file update transaction.
See also "set ssl crl-file" and "commit ssl crl-file".
add acl [@<ver>] <acl> <pattern> add acl [@<ver>] <acl> <pattern>
Add an entry into the acl <acl>. <acl> is the #<id> or the <file> returned by Add an entry into the acl <acl>. <acl> is the #<id> or the <file> returned by
"show acl". This command does not verify if the entry already exists. Entries "show acl". This command does not verify if the entry already exists. Entries
@ -1645,6 +1650,28 @@ commit ssl cert <filename>
See also "new ssl cert", "set ssl cert", "abort ssl cert" and See also "new ssl cert", "set ssl cert", "abort ssl cert" and
"add ssl crt-list". "add ssl crt-list".
commit ssl crl-file <crlfile>
Commit a temporary SSL CRL file update transaction.
In the case of an existing CRL file (in a "Used" state in "show ssl
crl-file"), the new CRL file entry is inserted in the CA file tree (which
holds both the CA files and the CRL files) and every instance that used the
CRL file entry is rebuilt, along with the SSL contexts it needs.
All the contexts previously used by the rebuilt instances are removed.
Upon success, the previous CRL file entry is removed from the tree.
Upon failure, nothing is removed or deleted, and all the original SSL
contexts are kept and used.
Once the temporary transaction is committed, it is destroyed.
In the case of a new CRL file (after a "new ssl crl-file" and in a "Unused"
state in "show ssl crl-file"), the CRL file will be inserted in the CRL file
tree but it won't be used anywhere in HAProxy. To use it and generate SSL
contexts that use it, you will need to add it to a crt-list with "add ssl
crt-list".
See also "new ssl crl-file", "set ssl crl-file", "abort ssl crl-file" and
"add ssl crt-list".
debug dev <command> [args]* debug dev <command> [args]*
Call a developer-specific command. Only supported on a CLI connection running Call a developer-specific command. Only supported on a CLI connection running
in expert mode (see "expert-mode on"). Such commands are extremely dangerous in expert mode (see "expert-mode on"). Such commands are extremely dangerous
@ -1681,6 +1708,12 @@ del ssl cert <certfile>
of the certificate. The deletion doesn't work with a certificate referenced of the certificate. The deletion doesn't work with a certificate referenced
directly with the "crt" directive in the configuration. directly with the "crt" directive in the configuration.
del ssl crl-file <crlfile>
Delete a CRL file tree entry from HAProxy. The CRL file must be unused and
removed from any crt-list. "show ssl crl-file" displays the status of the CRL
files. The deletion doesn't work with a certificate referenced directly with
the "crl-file" directive in the configuration.
del ssl crt-list <filename> <certfile[:line]> del ssl crt-list <filename> <certfile[:line]>
Delete an entry in a crt-list. This will delete every SNIs used for this Delete an entry in a crt-list. This will delete every SNIs used for this
entry in the frontends. If a certificate is used several time in a crt-list, entry in the frontends. If a certificate is used several time in a crt-list,
@ -1887,6 +1920,11 @@ new ssl cert <filename>
added to a directory or a crt-list. This command should be used in added to a directory or a crt-list. This command should be used in
combination with "set ssl cert" and "add ssl crt-list". combination with "set ssl cert" and "add ssl crt-list".
new ssl crl-file <crlfile>
Create a new empty CRL file tree entry to be filled with a set of CRLs
and added to a crt-list. This command should be used in combination with "set
ssl crl-file" and "add ssl crt-list".
prepare acl <acl> prepare acl <acl>
Allocate a new version number in ACL <acl> for atomic replacement. <acl> is Allocate a new version number in ACL <acl> for atomic replacement. <acl> is
the #<id> or the <file> returned by "show acl". The new version number is the #<id> or the <file> returned by "show acl". The new version number is
@ -2091,6 +2129,22 @@ set ssl cert <filename> <payload>
socat /var/run/haproxy.stat - socat /var/run/haproxy.stat -
echo "commit ssl cert localhost.pem" | socat /var/run/haproxy.stat - echo "commit ssl cert localhost.pem" | socat /var/run/haproxy.stat -
set ssl crl-file <crlfile> <payload>
This command is part of a transaction system, the "commit ssl crl-file" and
"abort ssl crl-file" commands could be required.
If there is no on-going transaction, it will create a CRL file tree entry into
which the Revocation Lists contained in the payload will be stored. The CRL
file entry will not be stored in the CRL file tree and will only be kept in a
temporary transaction. If a transaction with the same filename already exists,
the previous CRL file entry will be deleted and replaced by the new one.
Once the modifications are done, you have to commit the transaction through
a "commit ssl crl-file" call.
Example:
echo -e "set ssl crl-file crlfile.pem <<\n$(cat rootCRL.pem)\n" | \
socat /var/run/haproxy.stat -
echo "commit ssl crl-file crlfile.pem" | socat /var/run/haproxy.stat -
set ssl ocsp-response <response | payload> set ssl ocsp-response <response | payload>
This command is used to update an OCSP Response for a certificate (see "crt" This command is used to update an OCSP Response for a certificate (see "crt"
on "bind" lines). Same controls are performed as during the initial loading of on "bind" lines). Same controls are performed as during the initial loading of
@ -2954,6 +3008,50 @@ show ssl cert [<filename>]
Filename: *test.local.pem Filename: *test.local.pem
[...] [...]
show ssl crl-file [<crlfile>[:<index>]]
Display the list of CRL files used by HAProxy.
If a filename is prefixed by an asterisk, it is a transaction which is not
committed yet. If a <crlfile> is specified without <index>, it will show the
status of the CRL file ("Used"/"Unused") followed by details about all the
Revocation Lists contained in the CRL file. The details displayed for every
list are based on the output of "openssl crl -text -noout -in <file>".
If a <crlfile> is specified followed by an <index>, it will only display the
details of the list having the specified index. Indexes start from 1.
If the index is invalid (too big for instance), nothing will be displayed.
This command can be useful to check if a CRL file was properly updated.
You can also display the details of an ongoing transaction by prefixing the
filename by an asterisk.
Example :
$ echo "show ssl crl-file" | socat /var/run/haproxy.master -
# transaction
*crlfile.pem
# filename
crlfile.pem
$ echo "show ssl crl-file crlfile.pem" | socat /var/run/haproxy.master -
Filename: /home/tricot/work/haproxy/reg-tests/ssl/crlfile.pem
Status: Used
Certificate Revocation List #1:
Version 1
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=FR/O=HAProxy Technologies/CN=Intermediate CA2
Last Update: Apr 23 14:45:39 2021 GMT
Next Update: Sep 8 14:45:39 2048 GMT
Revoked Certificates:
Serial Number: 1008
Revocation Date: Apr 23 14:45:36 2021 GMT
Certificate Revocation List #2:
Version 1
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=FR/O=HAProxy Technologies/CN=Root CA
Last Update: Apr 23 14:30:44 2021 GMT
Next Update: Sep 8 14:30:44 2048 GMT
No Revoked Certificates.
show ssl crt-list [-n] [<filename>] show ssl crt-list [-n] [<filename>]
Display the list of crt-list and directories used in the HAProxy Display the list of crt-list and directories used in the HAProxy
configuration. If a filename is specified, dump the content of a crt-list or configuration. If a filename is specified, dump the content of a crt-list or