Skip to content

Instantly share code, notes, and snippets.

@haproxytechblog
Last active August 23, 2020 04:31
Show Gist options
  • Save haproxytechblog/792a2476b19d51ef4be289496b58386d to your computer and use it in GitHub Desktop.
Save haproxytechblog/792a2476b19d51ef4be289496b58386d to your computer and use it in GitHub Desktop.
Dynamic SSL Certificate Storage in HAProxy
global
# Enable the HAProxy Runtime API
stats socket :9999 level admin expose-fd listeners
frontend fe_sitea
mode http
# listen for HTTP traffic
bind :80
# listen for HTTPS traffic, load certificates from a directory
bind :443 ssl crt /etc/haproxy/certs/
# redirect HTTP to HTTPS
http-request redirect scheme https unless { ssl_fc }
# the pool of servers
default_backend servers
backend servers
server s1 172.25.0.11:8080 check
server s2 172.25.0.12:8080 check
# Start a transaction to update the certificate
$ echo -e "set ssl cert /etc/haproxy/certs/site.pem <<\n$(cat ./new_certificate.pem)\n" | socat tcp-connect:172.25.0.10:9999 -
# Check the pending transaction (asterisk means pending)
$ echo "show ssl cert" | socat tcp-connect:172.25.0.10:9999 -
# transaction
*/etc/haproxy/certs/site.pem
# filename
/etc/haproxy/certs/site.pem
$ echo "show ssl cert */etc/haproxy/certs/site.pem" | socat tcp-connect:172.25.0.10:9999 -
Filename: */etc/haproxy/certs/site.pem
Status: Unused
Serial: 1F5202E02083861B302FFA09045721F07C865EFD
notBefore: Aug 12 17:05:34 2020 GMT
notAfter: Aug 12 17:05:34 2021 GMT
Subject Alternative Name:
Algorithm: RSA2048
SHA1 FingerPrint: C2958E4ABDF89447BF0BEDEF43A1A202213B7B4C
Subject: /C=US/ST=Ohio/L=Columbus/O=Company/CN=example.local
# Commit the transaction so HAProxy detects the change
$ echo "commit ssl cert /etc/haproxy/certs/site.pem" | socat tcp-connect:172.25.0.10:9999 -
# Abort the transaction and cancel the change
$ echo "abort ssl cert /etc/haproxy/certs/site.pem" | socat tcp-connect:172.25.0.10:9999 -
$ echo "show ssl cert /etc/haproxy/certs/site.pem" | socat tcp-connect:172.25.0.10:9999 -
Filename: /etc/haproxy/certs/site.pem
Status: Used
Serial: 1F5202E02083861B302FFA09045721F07C865EFD
notBefore: Aug 12 17:05:34 2020 GMT
notAfter: Aug 12 17:05:34 2021 GMT
Subject Alternative Name:
Algorithm: RSA2048
SHA1 FingerPrint: C2958E4ABDF89447BF0BEDEF43A1A202213B7B4C
Subject: /C=US/ST=Ohio/L=Columbus/O=Company/CN=example.local
Issuer: /C=US/ST=Ohio/L=Columbus/O=Company/CN=example.local
$ scp new_certificate.pem username@172.25.0.10:/etc/haproxy/certs/site.pem
/etc/haproxy/certs/default.pem
/etc/haproxy/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local
frontend fe_main
mode http
bind :80
bind :443 ssl crt-list /etc/haproxy/crt-list.txt
http-request redirect scheme https unless { ssl_fc }
default_backend servers
$ echo -e "new ssl cert /etc/haproxy/certs/new_certificate.pem" | socat tcp-connect:127.0.0.1:9999 -
New empty certificate store '/etc/haproxy/certs/new_certificate.pem'!
$ echo -e "set ssl cert /etc/haproxy/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | socat tcp-connect:127.0.0.1:9999 -
Transaction created for certificate /etc/haproxy/certs/new_certificate.pem!
$ echo -e "commit ssl cert /etc/haproxy/certs/new_certificate.pem" | socat tcp-connect:127.0.0.1:9999 -
Committing /etc/haproxy/certs/new_certificate.pem
Success!
$ echo -e "add ssl crt-list /etc/haproxy/cert-list.txt <<\n/etc/haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | socat tcp-connect:127.0.0.1:9999 -
Inserting certificate '/etc/haproxy/certs/new_certificate.pem' in crt-list '/etc/haproxy/cert-list.txt'.
Success!
$ echo "show ssl crt-list /etc/haproxy/cert-list.txt" | socat tcp-connect:127.0.0.1:9999 -# /etc/haproxy/cert-list.txt
/etc/haproxy/certs/site.pem
/etc/haproxy/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local
/etc/haproxy/certs/new_certificate.pem [alpn h2] mysite.local
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment