add ssl crt-list
Add an entry to an SSL CRT list.
Description
CRT lists are text files that describe the SSL certificates used in your HAProxy Enterprise configuration. In addition to listing the path to the actual certificate, these files can optionally include metadata related to cipher suite support, as well as SNI matching and exclusion patterns.
An example CRT list, stored at /etc/hapee-2.5/certificate-list.txt follows:
/etc/hapee-2.5/certs/default.pem
/etc/hapee-2.5/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.localThe first line lists a certificate, whereas the second line lists a certificate, cipher suite parameters, and the SNI, which lists a single domain explicitly. Note that the SNI filter supports wildcard filters and negation filters such as *.domain.tld and !secure.domain.tld.
For the cert list to take effect, it must be declared in a frontend bind directive using the crt-list parameter.
Changes to the certificates and crt-list made using the Runtime API are in memory only and not written to disk. They will therefore be lost when the proxy stops.
Examples
In this example, we add the line /etc/hapee-2.5/certs/new_certificate.pem [alpn h2] mysite.local to the CRT list at /etc/hapee-2.5/certificate-list.txt.
Note the syntax for setting the extra ALPN attributes and SNI value.
$ echo -e "add ssl crt-list /etc/hapee-2.5/certificate-list.txt <<\n/etc/haprohaproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | \ sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sockInserting certificate '/etc/hapee-2.5/certs/new_certificate.pem' in crt-list '/etc/hapee-2.5/certificate-list.txt'. Success!
Contextual Example
This operation is generally performed as part of a series of transactions. An example is outlined below. This example demonstrates how to upload a new certificate, attach it to HAProxy Enterprise's running configuration, and store it in a CRT list with cipher and SNI parameters. An optional delete command is included at the end.
-
Add a CRT list to your HAProxy Enterprise configuration file on a
bindline:frontend fe_main mode http bind :80 bind :443 ssl crt-list/etc/hapee-2.5/certificate-list.txt## This file must exist and contain at least one certificate, self-signed, if need be. http-request redirect scheme https unless { ssl_fc } default_backend servers -
Use the
new ssl certcommand to create an empty slot for a certificate in HAProxy's memory.$ echo -e "new ssl cert /etc/hapee-2.5/certs/new_certificate.pem" | \ sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sockNew empty certificate store '/etc/hapee-2.5/certs/new_certificate.pem'! -
Begin a transaction to upload the certificate into that slot by using the
set ssl certcommand.The new certificate should be in your local working directory.
$ echo -e "set ssl cert /etc/hapee-2.5/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | \ sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sockTransaction created for certificate /etc/hapee-2.5/certs/new_certificate.pem! -
Commit the transaction:
$ echo -e "commit ssl cert /etc/hapee-2.5/certs/new_certificate.pem" | \ sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sockCommitting /etc/hapee-2.5/certs/new_certificate.pem Success! -
Add a line to the CRT list, to add the certificate, cipher suite, and SNI options:
$ echo -e "add ssl crt-list /etc/hapee-2.5/certificate-list.txt <<\n/etc//haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | \ sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sockInserting certificate '/etc/hapee-2.5/certs/new_certificate.pem' in crt-list '/etc//haproxy/certificate-list.txt'. Success! -
Use
show ssl crt-listto verify that the CRT list was updated correctly:$ echo "show ssl crt-list /etc/hapee-2.5/certificate-list.txt" | \ sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sock# /etc//haproxy/certificate-list.txt /etc/hapee-2.5/certs/site.pem /etc/hapee-2.5/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local /etc/hapee-2.5/certs/new_certificate.pem [alpn h2] mysite.local -
When needed, use
del ssl crt-listto delete an entry from the CRT list in memory:$ echo -e "del ssl crt-list /etc/hapee-2.5/certificate-list.txt /etc/hapee-2.5/new_certificate.pem" | \ sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sockEntry '/etc/hapee-2.5/new_certificate.pem' deleted in crtlist '/etc/hapee-2.5/certificate-list.txt'!
See also
Next up
clear acl