Has anyone got OCSP stapling with Let’s Encrypt certificates working correctly in HAProxy?
(CentOS 7, HAProxy 1.7 dev4, OpenSSL 1:1.0.1e-51.el7_2.7)
I’m trying it now, and everything seems to work ok until testing, where I’m getting:
OCSP response: no response sent
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
depth=0 CN = mydomain.com
when trying to test it using
I have the .ocsp response and .issuer (Let’s Encrypt chain.pem) files present in my HAProxy certs directory, and have tried reloading HAProxy after copying those files.
I intially get the OCSP response using:
openssl ocsp -no_nonce -respout /etc/haproxy/certs/mydomain.com.pem.ocsp -issuer /etc/letsencrypt/live/mydomain.com/chain.pem -verify_other /etc/letsencrypt/live/mydomain.com/chain.pem -cert /etc/letsencrypt/live/mydomain.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org/ -header “HOST” “ocsp.int-x3.letsencrypt.org”
(I’ve also asked this in the HAProxy forums but perhaps someone here could have this setup already)