HAProxy Enterprise Documentation 2.2r1

set ssl cert

Add an SSL certificate to a transaction.

Description

HAProxy Enterprise can update an SSL certificate that it loaded into memory at startup. The workflow to update a certificate is:

  1. Start a transaction that uploads the local certificate file into memory using set ssl cert.

  2. Commit the transaction to update the certificate using commit ssl cert.

Changes to the certificates and crt-list made using the Runtime API are in memory only and not written to disk. They will therefore be lost when the proxy stops.

Examples

This example begins a transaction to load a certificate into HAProxy Enterprise's runtime memory and then commits it to finalize the upload.

$ echo -e "set ssl cert /etc/hapee-2.2/certs/site.pem <<\n$(cat ./new_certificate.pem)\n" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.2/hapee-lb.sock

$ echo "commit ssl cert /etc/hapee-2.2/certs/site.pem" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.2/hapee-lb.sock

Contextual Example

This operation is generally performed as part of a series of transactions. An example is outlined below. This example demonstrates how to upload a new certificate, attach it to HAProxy Enterprise's running configuration, and store it in a CRT list with cipher and SNI parameters. An optional delete command is included at the end.

  1. Add a CRT list to your HAProxy Enterprise configuration file on a bind line:

    frontend fe_main
       mode http
       bind :80
       bind :443 ssl crt-list /etc/hapee-2.2/certificate-list.txt ## This file must exist and contain at least one certificate, self-signed, if need be.
       http-request redirect scheme https unless { ssl_fc }
       default_backend servers
  2. Use the new ssl cert command to create an empty slot for a certificate in HAProxy's memory.

    $ echo -e "new  ssl cert /etc/hapee-2.2/certs/new_certificate.pem" | \
       sudo socat stdio unix-connect:/var/run/hapee-2.2/hapee-lb.sock
    New empty certificate store '/etc/hapee-2.2/certs/new_certificate.pem'!
  3. Begin a transaction to upload the certificate into that slot by using the set ssl cert command.

    The new certificate should be in your local working directory.

    $ echo -e "set ssl cert /etc/hapee-2.2/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | \
       sudo socat stdio unix-connect:/var/run/hapee-2.2/hapee-lb.sock
    Transaction created for certificate /etc/hapee-2.2/certs/new_certificate.pem!
  4. Commit the transaction:

    $ echo -e "commit ssl cert /etc/hapee-2.2/certs/new_certificate.pem" | \
       sudo socat stdio unix-connect:/var/run/hapee-2.2/hapee-lb.sock
    Committing /etc/hapee-2.2/certs/new_certificate.pem
    Success!
  5. Add a line to the CRT list, to add the certificate, cipher suite, and SNI options:

    $ echo -e "add ssl crt-list /etc/hapee-2.2/certificate-list.txt <<\n/etc//haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | \
       sudo socat stdio unix-connect:/var/run/hapee-2.2/hapee-lb.sock
    Inserting certificate '/etc/hapee-2.2/certs/new_certificate.pem' in crt-list '/etc//haproxy/certificate-list.txt'.
    Success!
  6. Use show ssl crt-list to verify that the CRT list was updated correctly:

    $ echo "show ssl crt-list /etc/hapee-2.2/certificate-list.txt" | \
       sudo socat stdio unix-connect:/var/run/hapee-2.2/hapee-lb.sock
    # /etc//haproxy/certificate-list.txt
    /etc/hapee-2.2/certs/site.pem
    /etc/hapee-2.2/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local
    /etc/hapee-2.2/certs/new_certificate.pem [alpn h2] mysite.local
  7. When needed, use del ssl crt-list to delete an entry from the CRT list in memory:

    $ echo -e "del ssl crt-list /etc/hapee-2.2/certificate-list.txt /etc/hapee-2.2/new_certificate.pem" | \
       sudo socat stdio unix-connect:/var/run/hapee-2.2/hapee-lb.sock
    Entry '/etc/hapee-2.2/new_certificate.pem' deleted in crtlist '/etc/hapee-2.2/certificate-list.txt'!

See also


Next up

set ssl ocsp-response