OCSP stapling with HAProxy


Has anyone got OCSP stapling with Let’s Encrypt certificates working correctly in HAProxy?
(CentOS 7, HAProxy 1.7 dev4, OpenSSL 1:1.0.1e-51.el7_2.7)

I’m trying it now, and everything seems to work ok until testing, where I’m getting:

OCSP response: no response sent
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = mydomain.com
verify return:1

when trying to test it using

openssl s_client -connect mydomain.com:443 -tlsextdebug -status -servername mydomain.com

I have the .ocsp response and .issuer (Let’s Encrypt chain.pem) files present in my HAProxy certs directory, and have tried reloading HAProxy after copying those files.

I intially get the OCSP response using:

openssl ocsp -no_nonce -respout /etc/haproxy/certs/mydomain.com.pem.ocsp -issuer /etc/letsencrypt/live/mydomain.com/chain.pem -verify_other /etc/letsencrypt/live/mydomain.com/chain.pem -cert /etc/letsencrypt/live/mydomain.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org/ -header “HOST” “ocsp.int-x3.letsencrypt.org


(I’ve also asked this in the HAProxy forums but perhaps someone here could have this setup already)


I can only provide a data point that it works OK on OpenBSD 6.0 with:

# haproxy -vv
HA-Proxy version 1.6.6 2016/06/26
Copyright 2000-2016 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = openbsd
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -pipe -fno-strict-aliasing

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without compression support (neither USE_ZLIB nor USE_SLZ are set)
Compression algorithms supported : identity("identity")
Built with OpenSSL version : LibreSSL 2.4.2
Running on OpenSSL version : LibreSSL 2.4.2
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.38 2015-11-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: SO_BINDANY

Available polling systems :
     kqueue : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Do you have

OpenSSL library supports TLS extensions : yes

? Is your .ocsp file OK?

# openssl asn1parse -in [...].ocsp -inform der
    0:d=0  hl=4 l= 523 cons: SEQUENCE
    4:d=1  hl=2 l=   1 prim: ENUMERATED        :00
    7:d=1  hl=4 l= 516 cons: cont [ 0 ]
   11:d=2  hl=4 l= 512 cons: SEQUENCE
   15:d=3  hl=2 l=   9 prim: OBJECT            :Basic OCSP Response
   26:d=3  hl=4 l= 497 prim: OCTET STRING      [HEX DUMP]:...


Thanks for that. Yes I have the TLS extensions support and .ocsp file appears to be ok.

I see that you’re using LibreSSL - I’m beginning to think that the culprit here is the stock OpenSSL 1.0.1 branch in CentOS 7. I’ll try compiling HAProxy against 1.0.2 and try the OCSP check again.


Ah it works now!

It just needed HAProxy compiled with OpenSSL 1.0.2 (instructions are in the HAProxy README)


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.