DOC: ssl/cli: set/commit/abort ssl cert

Document the "set/commit/abort ssl cert" CLI commands in management.txt.

Must be backported in 2.1.
This commit is contained in:
William Lallemand 2019-11-29 16:48:43 +01:00 committed by William Lallemand
parent f3ad62996f
commit 6ab08b3fd4

View File

@ -1363,6 +1363,11 @@ enough privilege, you will get an error "Permission denied". Please check
the "level" option of the "bind" keyword lines in the configuration manual
for more information.
abort ssl cert <filename>
Abort and destroy a temporary SSL certificate update transaction.
See also "set ssl cert" and "commit ssl cert".
add acl <acl> <pattern>
Add an entry into the acl <acl>. <acl> is the #<id> or the <file> returned by
"show acl". This command does not verify if the entry already exists. This
@ -1464,6 +1469,16 @@ clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ]
$ echo "show table http_proxy" | socat stdio /tmp/sock1
>>> # table: http_proxy, type: ip, size:204800, used:1
commit ssl cert <filename>
Commit and apply a temporary SSL certificate update transaction.
Generate every SSL contextes and SNIs it needs, insert them, and remove
the previous ones. Replace in memory the previous SSL certificates
everywhere the <filename> was used in the configuration.
Upon failure it doesn't remove or insert anything. Once the temporary
transaction is commited, it is destroyed.
See also "ssl set cert" and "abort ssl cert".
debug dev <command> [args]*
Call a developer-specific command. Only supported on a CLI connection running
in expert mode (see "expert-mode on"). Such commands are extremely dangerous
@ -1779,6 +1794,28 @@ set severity-output [ none | number | string ]
Change the severity output format of the stats socket connected to for the
duration of the current session.
set ssl cert <filename> <payload>
This command is part of a transaction system, the "commit ssl cert" and
"abort ssl cert" commands could be required.
If there is no on-going transaction, it will duplicate the certificate
<filename> in memory to a temporary transaction, then update this
transaction with the PEM file in the payload. If a transaction exists with
the same filename, it will update this transaction. It's also possible to
update the files linked to a certificate (.issuer, .sctl, .oscp etc.)
Once the modification are done, you have to "commit ssl cert" the
transaction.
Example:
echo -e "set ssl cert localhost.pem <<\n$(cat 127.0.0.1.pem)\n" | \
socat /var/run/haproxy.stat -
echo -e \
"set ssl cert localhost.pem.issuer <<\n $(cat 127.0.0.1.pem.issuer)\n" | \
socat /var/run/haproxy.stat -
echo -e \
"set ssl cert localhost.pem.ocsp <<\n$(base64 -w 1000 127.0.0.1.pem.ocsp)\n" | \
socat /var/run/haproxy.stat -
echo "commit ssl cert localhost.pem" | socat /var/run/haproxy.stat -
set ssl ocsp-response <response | payload>
This command is used to update an OCSP Response for a certificate (see "crt"
on "bind" lines). Same controls are performed as during the initial loading of