DOC: ssl/cli: set/commit/abort ssl cert
Document the "set/commit/abort ssl cert" CLI commands in management.txt.
Must be backported in 2.1.
diff --git a/doc/management.txt b/doc/management.txt
index 1d66f52..d1a1103 100644
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -1363,6 +1363,11 @@
the "level" option of the "bind" keyword lines in the configuration manual
for more information.
+abort ssl cert <filename>
+ Abort and destroy a temporary SSL certificate update transaction.
+
+ See also "set ssl cert" and "commit ssl cert".
+
add acl <acl> <pattern>
Add an entry into the acl <acl>. <acl> is the #<id> or the <file> returned by
"show acl". This command does not verify if the entry already exists. This
@@ -1464,6 +1469,16 @@
$ echo "show table http_proxy" | socat stdio /tmp/sock1
>>> # table: http_proxy, type: ip, size:204800, used:1
+commit ssl cert <filename>
+ Commit and apply a temporary SSL certificate update transaction.
+ Generate every SSL contextes and SNIs it needs, insert them, and remove
+ the previous ones. Replace in memory the previous SSL certificates
+ everywhere the <filename> was used in the configuration.
+ Upon failure it doesn't remove or insert anything. Once the temporary
+ transaction is commited, it is destroyed.
+
+ See also "ssl set cert" and "abort ssl cert".
+
debug dev <command> [args]*
Call a developer-specific command. Only supported on a CLI connection running
in expert mode (see "expert-mode on"). Such commands are extremely dangerous
@@ -1779,6 +1794,28 @@
Change the severity output format of the stats socket connected to for the
duration of the current session.
+set ssl cert <filename> <payload>
+ This command is part of a transaction system, the "commit ssl cert" and
+ "abort ssl cert" commands could be required.
+ If there is no on-going transaction, it will duplicate the certificate
+ <filename> in memory to a temporary transaction, then update this
+ transaction with the PEM file in the payload. If a transaction exists with
+ the same filename, it will update this transaction. It's also possible to
+ update the files linked to a certificate (.issuer, .sctl, .oscp etc.)
+ Once the modification are done, you have to "commit ssl cert" the
+ transaction.
+
+ Example:
+ echo -e "set ssl cert localhost.pem <<\n$(cat 127.0.0.1.pem)\n" | \
+ socat /var/run/haproxy.stat -
+ echo -e \
+ "set ssl cert localhost.pem.issuer <<\n $(cat 127.0.0.1.pem.issuer)\n" | \
+ socat /var/run/haproxy.stat -
+ echo -e \
+ "set ssl cert localhost.pem.ocsp <<\n$(base64 -w 1000 127.0.0.1.pem.ocsp)\n" | \
+ socat /var/run/haproxy.stat -
+ echo "commit ssl cert localhost.pem" | socat /var/run/haproxy.stat -
+
set ssl ocsp-response <response | payload>
This command is used to update an OCSP Response for a certificate (see "crt"
on "bind" lines). Same controls are performed as during the initial loading of