commit ssl cert
Commit an SSL certificate transaction.
Description
HAProxy Enterprise can update an SSL certificate that it loaded into memory at startup. The workflow to update a certificate is:
Start a transaction that uploads the local certificate file into memory using
set ssl cert
.Commit the transaction to update the certificate using
commit ssl cert
.
Examples
This example begins a transaction to load a certificate into HAProxy Enterprise's runtime memory and then commits it to finalize the upload.
$ echo -e "set ssl cert /etc/hapee-2.3/certs/site.pem <<\n$(cat ./new_certificate.pem)\n" | socat stdio tcp4-connect:127.0.0.1:9999
$ echo "commit ssl cert /etc/hapee-2.3/certs/site.pem" | socat stdio tcp4-connect:127.0.0.1:9999
Contextual Example
This operation will generally be performed as part of a series of transactions. An example is outlined below. This example demonstrates how to upload a new certificate, attach it to HAProxy Enterprise's running configuration, and store it in a CRT list with cipher and SNI parameters. An optional delete command is included at the end.
-
Add a CRT list to your HAproxy Enterprise configuration file on a
bind
line:frontend fe_main mode http bind :80 bind :443 ssl crt-list
/etc/hapee-2.3/certificate-list.txt## This file must exist and contain at least one certificate, self-signed, if need be. http-request redirect scheme https unless { ssl_fc } default_backend servers -
Use the
new ssl cert
command to create an empty slot for a certificate in HAProxy's memory$ echo -e "new ssl cert /etc/hapee-2.3/certs/new_certificate.pem" | socat tcp-connect:192.168.1.10:9999 - New empty certificate store '/etc/hapee-2.3/certs/new_certificate.pem'!
-
Begin a transaction to upload the certificate into that slot by using the
set ssl cert
command.The new certificate should be in your local working directory.
$ echo -e "set ssl cert /etc/hapee-2.3/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | socat tcp-connect:192.168.1.10:9999 - Transaction created for certificate /etc/hapee-2.3/certs/new_certificate.pem!
-
Commit the transaction:
$ echo -e "commit ssl cert /etc/hapee-2.3/certs/new_certificate.pem" | socat tcp-connect:192.168.1.10:9999 - Committing /etc/hapee-2.3/certs/new_certificate.pem Success!
-
Add a line to the CRT list, to add the certificate, cipher suite and SNI options:
$ echo -e "add ssl crt-list /etc/hapee-2.3/certificate-list.txt <<\n/etc//haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | socat tcp-connect:192.168.1.10:9999 - Inserting certificate '/etc/hapee-2.3/certs/new_certificate.pem' in crt-list '/etc//haproxy/certificate-list.txt'. Success!
-
Use
show ssl crt-list
to verify that the CRT list was updated correctly:$ echo "show ssl crt-list /etc/hapee-2.3/certificate-list.txt" | socat tcp-connect:192.168.1.10:9999 -# /etc//haproxy/certificate-list.txt /etc/hapee-2.3/certs/site.pem /etc/hapee-2.3/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local /etc/hapee-2.3/certs/new_certificate.pem [alpn h2] mysite.local
-
Use
del ssl crt-list
to delete an entry from the CRT list:$ echo -e "del ssl crt-list /etc/hapee-2.3/new_certificate.pem" | socat tcp-connect:127.0.0.1:9999 - Entry '/etc/hapee-2.3/new_certificate.pem' deleted in crtlist '/etc/hapee-2.3/certificate-list.txt'!
See also
Next up
del acl