Reference

show ssl ocsp-updates

Show the expected time of the next OCSP updates and the status of the last OCSP updates.

Description Jump to heading

Available since

  • HAProxy 2.8
  • HAProxy Enterprise 2.8r1

When OCSP is enabled, the load balancer will automatically, and on a specified interval, fetch the OCSP response for each of its configured certificates. You can view the status of past updates, as well as the expected time for the next updates, using show ssl ocsp-updates.

Examples Jump to heading

Follow these steps to view the OCSP response statuses.

  1. Use the show ssl ocsp-updates command:

    output
    bash
    echo "show ssl ocsp-updates" | socat /tmp/haproxy.sock -
    OCSP Certid | Path | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str)
    303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | /etc/hapee-2.8/certs/cert.pem | 31/Oct/2023:00:08:09 +0000 | - | 0 | 1 | 2 | HTTP error
    304b300906052b0e03021a0500041448dac9a0fb2bd32d4ff0de68d2f567b735f9b3c40414142eb317b75856cbae500940e61faf9d8b14c2c6021203e16a7aa01542f291237b454a627fdea9c1 | /etc/hapee-2.8/certs/other_cert.pem | 31/Oct/2023:01:07:09 +0000 | 30/Jan/2023:00:07:09 +0000 | 1 | 0 | 1 | Update successful
    303b300906052b0e03021a05000414d59b53c6deb73f54127efecfdf004e497757fe2f0414198cc3439a028c6349aaad77c96806b66632860202021008 | /etc/hapee-2.8/certs/newcert.pem | 31/Oct/2023:18:39:12 +0000 | - | 0 | 3 | 4 | OCSP response check failure
    output
    bash
    echo "show ssl ocsp-updates" | socat /tmp/haproxy.sock -
    OCSP Certid | Path | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str)
    303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | /etc/hapee-2.8/certs/cert.pem | 31/Oct/2023:00:08:09 +0000 | - | 0 | 1 | 2 | HTTP error
    304b300906052b0e03021a0500041448dac9a0fb2bd32d4ff0de68d2f567b735f9b3c40414142eb317b75856cbae500940e61faf9d8b14c2c6021203e16a7aa01542f291237b454a627fdea9c1 | /etc/hapee-2.8/certs/other_cert.pem | 31/Oct/2023:01:07:09 +0000 | 30/Jan/2023:00:07:09 +0000 | 1 | 0 | 1 | Update successful
    303b300906052b0e03021a05000414d59b53c6deb73f54127efecfdf004e497757fe2f0414198cc3439a028c6349aaad77c96806b66632860202021008 | /etc/hapee-2.8/certs/newcert.pem | 31/Oct/2023:18:39:12 +0000 | - | 0 | 3 | 4 | OCSP response check failure

    In this example there are three OCSP responses: one that was successful, and two with errors.

    The update errors and their codes are listed below:

    ID Message
    0 Unknown
    1 Update successful
    2 HTTP error
    3 Missing “ocsp-response” header
    4 OCSP response check failure
    5 Error during insertion

    If a response has the error “OCSP response check failure”, it may be that the issuer certificate is not valid. For more information about ocsp-update see: ocsp-update reference.

See also Jump to heading

If this page was useful, please, Leave the feedback.