HAProxy Enterprise Documentation 2.5r1

abort ssl ca-file

Abort and destroy a temporary CA file update transaction.

Description

Abort and destroy a temporary CA file update transaction. The CLI command set ssl ca-file makes

CA file changes in a temporary transaction. When changes are complete, you can apply the transaction to runtime memory using commit ssl ca-file or abort them using this command.

Examples

Begin a transaction to load a certificate into HAProxy Enterprise's runtime memory. Then abort the transaction.

$ echo -e "set ssl ca-file cafile.pem <<\n$(cat rootCA.crt)\n" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sock

$ echo "abort ssl ca-file cafile.pem" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sock

Contextual Example

This operation is generally performed as part of a series of transactions used to manage CA files. You can manage CA files for different domains by passing them to the add ssl crt-list command.

The example in this section demonstrates how to upload a new CA file and attach it to HAProxy Enterprise's running configuration.

Verify client certificates

The simplest way to configure an application to use a CA file for verifying client certificates is to specify the CA file or directory in the frontend configuration.

  • Declare the CA file or directory in the frontend bind directive using the ca-file or ca-verify-file parameter. The argument passed to the ca-file parameter can be a specific CA file or a directory containing CA files. The file or directory must already exist.

    frontend fe_main
   mode http
   bind :80
   bind :443 ssl crt /etc/hapee-2.5/ssl.pem alpn h2 verify required ca-file /etc/hapee-2.5/intermediate-ca.crt ca-verify-file /etc/hapee-2.5/root-ca.crt
   http-request redirect scheme https unless { ssl_fc }
   default_backend servers

Use the Runtime API to update a CA file

There are Runtime API commands for modifying CA file contents during runtime.

You can:

  • replace the contents of a CA file entirely using the set ssl ca-file command

  • add certificates to the existing content using the add ssl ca-file command

  • remove the contents of a CA file in memory using del ssl ca-file

To modify the runtime CA file, follow these steps.

  1. To replace the CA file contents with new certificates, use the set ssl ca-file command.

    $ echo -e "set ssl ca-file /etc/hapee-2.5/intermediate-ca.crt <<\n$(cat ./new_certificate.pem)\n" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sock
    transaction created for CA /etc/hapee-2.5/intermediate-ca.crt!

  2. To add an entry to a CA file, use the add ssl ca-file command.

    $ echo -e "add ssl ca-file /etc/hapee-2.5/intermediate-ca.crt <<\n(cat ./new_certificate2.pem)\n" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sock
    transaction updated for CA /etc/hapee-2.5/intermediate-ca.crt!

  3. Updates to the CA file in memory do not take effect until the transaction is committed. Commit the transaction:

    $ echo -e "commit ssl ca-file /etc/hapee-2.5/intermediate-ca.crt" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sock
    Committing /etc/hapee-2.5/intermediate-ca.crt
Success!

  4. Use show ssl ca-file to verify that the CA file was updated correctly:

    $ echo "show ssl ca-file /etc/hapee-2.5/intermediate-ca.crt" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sock
    Filename: /etc/hapee-2.5/intermediate-ca.crt
Status: Unused

Certificate #1:
Serial: 03BB662E4A45FE7E576F3C22195ADDC0
notBefore: Nov  9 00:00:00 1994 GMT
notAfter: Jan  7 23:59:59 2010 GMT
Subject Alternative Name:
Algorithm: RSA1000
SHA1 FingerPrint: 4463A531B4BCA1004794612BC646D3BF8233846F
Subject: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority

Certificate #2:
Serial: 04BB662E4A45FE7E576F3C22195AEDC0
notBefore: Nov  9 00:00:00 1994 GMT
notAfter: Jan  7 23:59:59 2010 GMT
Subject Alternative Name:
Algorithm: RSA1000
SHA1 FingerPrint: 2463A531B4BCA1004794212BC646D3BF8233846D
Subject: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority

  5. To delete a CA file in memory, use del ssl ca-file.

    $ echo -e "del ssl ca-file /etc/hapee-2.5/intermediate-ca.crt" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sock
    CA file '/etc/hapee-2.5/intermediate-ca.crt' deleted!

Verify server certificates

To use CA files to verify server certificates, specify the CA file using the ca-file parameter in the backend server or default-server directive.

backend web_servers
   mode http
   server s1 192.168.1.25:80 ssl verify required ca-file /etc/hapee-2.5/server-trusted-ca.crt
   server s2 192.168.1.26:80 ssl verify required ca-file /etc/hapee-2.5/server-trusted-ca.crt
   server s3 192.168.1.27:80 ssl verify required ca-file /etc/hapee-2.5/server-trusted-ca.crt

See also

Next up

abort ssl crl-file