-
Notifications
You must be signed in to change notification settings - Fork 621
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
acme-client: haproxy still serves old cert after renewal #4203
Comments
I found the following entry in
Below is from
I also get the same OCSP-UPDATE lines on a manual haproxy restart. At this point, I do not know the difference between "Restart HAProxy (OPNsense plugin)" cron job versus a manual restart. If there is no difference, I wonder if |
Well, I'd suggest inspecting Settings - Service options, reading the help there and experimenting with those options. |
I went through the HAProxy settings. I think these are the relevant settings to this issue, and below are their values. I do not see anything that would cache the certificate. I can also try manually running the automation next time this happens again, but I don't know where to find that. I found Service
Global settings > SSL settings - I believe these are the defaults.
Cache
|
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
HAProxy continues to serve old Let's Encrypt certificates after it was renewed and updated. ACME Client > Automations has the "Restart HAProxy (OPNsense plugin)" configured and enabled. Restarting HAProxy manually thru the GUI loads the updated certificates.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
ACME Client automation that restarts HAProxy loads the updated certificate.
Additional context
/var/etc/acme-client/cert-home/6029e36f2fa175.26395931/host.domain.tld_ecc/host.domain.tld.cer
file./tmp/haproxy/ssl/60294d9f6fa932.93592251.certlist
. (same serial number)openssl s_client
confirms that HAProxy still serves the older certificate.Environment
OPNsense 24.7.2-amd64
FreeBSD 14.1-RELEASE-p3
OpenSSL 3.0.14
The text was updated successfully, but these errors were encountered: