del ssl crt-list
Delete an entry from an SSL CRT list residing in memory.
Description
CRT lists are text files that describe the SSL certificates used by HAProxy Enterprise. When dynamically creating and manipulating certificates, this command deletes a line from an SSL CRT list in memory.
Examples
In this example, a line reading /etc/hapee-2.4/api.pem
is deleted from the in-memomry CRT list at /etc/hapee-2.4/crt-list.txt.
$ echo -e "del ssl crt-list /etc/hapee-2.4/crt-list.txt /etc/hapee-2.4/api.pem" | \
sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
Entry '/etc/hapee-2.4/api.pem' deleted in crtlist '/etc/hapee-2.4/crt-list.txt'!
Contextual Example
This operation is generally performed as part of a series of transactions. An example is outlined below. This example demonstrates how to upload a new certificate, attach it to HAProxy Enterprise's running configuration, and store it in a CRT list with cipher and SNI parameters. An optional delete command is included at the end.
-
Add a CRT list to your HAProxy Enterprise configuration file on a
bind
line:frontend fe_main mode http bind :80 bind :443 ssl crt-list
/etc/hapee-2.4/certificate-list.txt## This file must exist and contain at least one certificate, self-signed, if need be. http-request redirect scheme https unless { ssl_fc } default_backend servers -
Use the
new ssl cert
command to create an empty slot for a certificate in HAProxy's memory.$ echo -e "new ssl cert /etc/hapee-2.4/certs/new_certificate.pem" | \ sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
New empty certificate store '/etc/hapee-2.4/certs/new_certificate.pem'!
-
Begin a transaction to upload the certificate into that slot by using the
set ssl cert
command.The new certificate should be in your local working directory.
$ echo -e "set ssl cert /etc/hapee-2.4/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | \ sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
Transaction created for certificate /etc/hapee-2.4/certs/new_certificate.pem!
-
Commit the transaction:
$ echo -e "commit ssl cert /etc/hapee-2.4/certs/new_certificate.pem" | \ sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
Committing /etc/hapee-2.4/certs/new_certificate.pem Success!
-
Add a line to the CRT list, to add the certificate, cipher suite, and SNI options:
$ echo -e "add ssl crt-list /etc/hapee-2.4/certificate-list.txt <<\n/etc//haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | \ sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
Inserting certificate '/etc/hapee-2.4/certs/new_certificate.pem' in crt-list '/etc//haproxy/certificate-list.txt'. Success!
-
Use
show ssl crt-list
to verify that the CRT list was updated correctly:$ echo "show ssl crt-list /etc/hapee-2.4/certificate-list.txt" | \ sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
# /etc//haproxy/certificate-list.txt /etc/hapee-2.4/certs/site.pem /etc/hapee-2.4/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local /etc/hapee-2.4/certs/new_certificate.pem [alpn h2] mysite.local
-
When needed, use
del ssl crt-list
to delete an entry from the CRT list in memory:$ echo -e "del ssl crt-list /etc/hapee-2.4/certificate-list.txt /etc/hapee-2.4/new_certificate.pem" | \ sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
Entry '/etc/hapee-2.4/new_certificate.pem' deleted in crtlist '/etc/hapee-2.4/certificate-list.txt'!
See also
Next up
disable agent