I have the .ocsp response and .issuer (Let's Encrypt chain.pem) files present in my HAProxy certs directory, and have tried reloading HAProxy after copying those files.
I can only provide a data point that it works OK on OpenBSD 6.0 with:
# haproxy -vv
HA-Proxy version 1.6.6 2016/06/26
Copyright 2000-2016 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = openbsd
CPU = generic
CC = cc
CFLAGS = -O2 -pipe -fno-strict-aliasing
OPTIONS = USE_LIBCRYPT=1 USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built without compression support (neither USE_ZLIB nor USE_SLZ are set)
Compression algorithms supported : identity("identity")
Built with OpenSSL version : LibreSSL 2.4.2
Running on OpenSSL version : LibreSSL 2.4.2
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.38 2015-11-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: SO_BINDANY
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use kqueue.
Thanks for that. Yes I have the TLS extensions support and .ocsp file appears to be ok.
I see that you’re using LibreSSL - I’m beginning to think that the culprit here is the stock OpenSSL 1.0.1 branch in CentOS 7. I’ll try compiling HAProxy against 1.0.2 and try the OCSP check again.