dataplaneapi icon indicating copy to clipboard operation
dataplaneapi copied to clipboard
verified publisher icon haproxytech

crt <cert> not supported by data plane API

Open bren-doyle opened this issue 4 years ago • 4 comments

In the data plane API if I try to specify a single cert using "crt" {"name": "'"$name"'", "address":"'"$vip"'", "port": 443, "ssl": true, "ssl_cafile": "cert-ourca.crt", "crt": "www.example.com.pem", "verify": "required", "prefer_client_ciphers": true}

I get : {"address":"192.16.1.103","name":"vcn1_lb1_vip","port":443,"prefer_client_ciphers":true,"ssl":true,"ssl_cafile":"cert-ourca.crt","verify":"required"} {"code":400,"message":"14: err transactionId=89f79029-f308-4c60-bb9c-1140b6e39263 \nmsg="Proxy 'https_443': no SSL certificate specified for bind '192.16.1.103:443' at [/tmp/haproxy/192.16.1.101_haproxy.cfg.89f79029-f308-4c60-bb9c-1140b6e39263:50] (use 'crt')."\nmsg="Fatal errors found in configuration.""}

Looking at embedded_spec.go it seems this is not supported??

bren-doyle avatar Mar 26 '21 15:03 bren-doyle

Try 'ssl_certificate'. If you have a running dataplane api you can use /v2/docs, for endpoint documentation.

schegi avatar Mar 29 '21 06:03 schegi

No does not help: "ssl_certificate": "/run/ssl/www.example.com.pem", {"address":"192.16.1.103","ciphers":"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256","crt_list":"/run/ssl/crt_list.txt","name":"vcn1_lb1_vip","port":443,"prefer_client_ciphers":true,"ssl":true,"ssl_certificate":"/run/ssl/www.example.com.pem","ssl_max_ver":"TLSv1.2","ssl_min_ver":"TLSv1.0","verify":"required"} {"code":400,"message":"14: err transactionId=7f94757c-a2ed-45f8-8c38-87c0c4470b35 \nmsg="Proxy 'https_443': verify is enabled but no CA file specified for bind '192.16.1.103:443' at [/tmp/haproxy/192.16.1.100_haproxy.cfg.7f94757c-a2ed-45f8-8c38-87c0c4470b35:50]."\nmsg="Fatal errors found in configuration.""}

bren-doyle avatar Mar 29 '21 14:03 bren-doyle

The given cert file has to contain, ca, cert and key.

schegi avatar Mar 31 '21 09:03 schegi

It does I use the same cert in an ssl file and it works fine just that crt or ssl_certificate are ignored, so

         "crt_list": "/run/ssl/crt_list.txt",

where crt_list.txt contains www.example.com.pem

works, but

"ssl_certificate": "/run/ssl/www.example.com.pem", OR "crt": "/run/ssl/www.example.com.pem",

Does not.

bren-doyle avatar Mar 31 '21 11:03 bren-doyle