DOC: management: add the new crt-list CLI commands
Add the new crt-lists command in the management manual:
"new ssl cert", "add ssl crt-list", "dump ssl crt-list", "show ssl
crt-list".
diff --git a/doc/management.txt b/doc/management.txt
index 6425c19..23b63af 100644
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -1399,6 +1399,26 @@
>
+add ssl crt-list <crtlist> <certificate>
+add ssl crt-list <crtlist> <payload>
+ Add an certificate in a crt-list. It can also be used for directories since
+ directories are now loaded the same way as the crt-lists. This command allow
+ you to use a certificate name in parameter, to use SSL options or filters a
+ crt-list line must sent as a payload instead. Only one crt-list line is
+ supported in the payload. This command will load the certificate for every
+ bind lines using the crt-list. To push a new certificate to HAProxy the
+ commands "new ssl cert" and "set ssl cert" must be used.
+
+ Example:
+ $ echo "new ssl cert foobar.pem" | socat /tmp/sock1 -
+ $ echo -e "set ssl cert foobar.pem <<\n$(cat foobar.pem)\n" | socat
+ /tmp/sock1 -
+ $ echo "commit ssl cert foobar.pem" | socat /tmp/sock1 -
+ $ echo "add ssl crt-list certlist1 foobar.pem" | socat /tmp/sock1 -
+
+ $ echo -e 'add ssl crt-list certlist1 <<\nfoobar.pem [allow-0rtt] foo.bar.com
+ !test1.com\n' | socat /tmp/sock1 -
+
clear counters
Clear the max values of the statistics counters in each proxy (frontend &
backend) and in each server. The accumulated counters are not affected. The
@@ -1569,6 +1589,18 @@
This command is restricted and can only be issued on sockets configured for
level "admin".
+dump ssl crt-list <filename>
+ Dump the content of a crt-list or a directory. Once dumped the output can be
+ used as a crt-list file.
+
+ Example:
+ echo "dump ssl crt-list localhost.crt-list" | socat /tmp/sock1 -
+ # localhost.crt-list
+ common.pem !not.test1.com *.test1.com !localhost
+ common.pem
+ ecdsa.pem [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3] localhost !www.test1.com
+ ecdsa.pem [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3]
+
enable agent <backend>/<server>
Resume auxiliary agent check that was temporarily stopped.
@@ -1671,6 +1703,11 @@
Print the list of known keywords and their basic usage. The same help screen
is also displayed for unknown commands.
+new ssl cert <filename>
+ Create a new empty SSL certificate store to be filled with a certificate and
+ added to a directory or a crt-list. This command should be used in
+ combination with "set ssl cert" and "add ssl crt-list".
+
prompt
Toggle the prompt at the beginning of the line and enter or leave interactive
mode. In interactive mode, the connection is not closed after a command
@@ -2539,6 +2576,21 @@
Filename: *test.local.pem
[...]
+show ssl crt-list [<filename>]
+ Display the list of crt-list and directories used in the HAProxy
+ configuration. If a directory or a crt-list is specified, displays its
+ content. Does not use this command to dump your crt-list configuration as it
+ provides extra informations not compatible with the crt-list. To dump a
+ crt-list, use the "dump ssl crt-list" command instead.
+
+ Example:
+ echo "show ssl crt-list localhost.crt-list" | socat /tmp/sock1 -
+ # localhost.crt-list
+ 0x55db301c29a0 common.pem !not.test1.com *.test1.com !localhost
+ 0x55db301f99e0 common.pem
+ 0x7fb6f40220b0 ecdsa.pem [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3] localhost !www.test1.com
+ 0x55db30277070 ecdsa.pem [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3]
+
show resolvers [<resolvers section id>]
Dump statistics for the given resolvers section, or all resolvers sections
if no section is supplied.