This option can be changed during runtime via the "add ssl jwt" and "del ssl
jwt" CLI commands. See also "show ssl jwt" CLI command.
+generate-dummy [ off | on ]
+ Allow the generation of a private key and its self-signed certificate at
+ parsing time when set to 'on'. This may be useful if one does not have a
+ certificate at disposal during testing phase for instance. In this case,
+ "keytype", "bits" and "curves" may be used to customize the private key. When
+ not used, the default value is 'off'. (also see "keytype", "bits" and
+ "curves").
+
+keytype [ RSA | ECDSA ]
+ Allow the selection of the private key type used to generate at parsing time
+ a self-signed certificate. This is the case if "generate-dummy" is set to 'on'
+ for this certificate. When not used, the default is 'RSA'.
+ (also see "generate-dummy").
+
+bits <number>
+ Configure the number of bits to generate an RSA self-signed certificate when
+ "generate-dummy" is set to 'on' for this self-signed certificate and "keytype"
+ is set to 'RSA'. When not used, the default is 2048. (also see
+ "generate-dummy").
+
+curves <string>
+ Configure the curves when "generate-dummy" is set to 'on' and "keytype" is
+ set to 'ECDSA" for this self-signed certificate. The default is 'P-384'.
+
12.8. ACME
----------
#include <haproxy/proxy.h>
#include <haproxy/sc_strm.h>
#include <haproxy/ssl_ckch.h>
+#include <haproxy/ssl_gencert.h>
#include <haproxy/ssl_sock.h>
#include <haproxy/ssl_ocsp.h>
#include <haproxy/ssl_utils.h>
#ifdef HAVE_ACME
errno = 0;
- /* if ACME is enabled and the file does not exists, generate the PEM */
- if (s->conf.acme.id && (stat(path, &sb) == -1 && errno == ENOENT)) {
- /* generate they key and the certificate */
+ if (s->conf.gencrt.on != 1) {
+ if (s->conf.gencrt.key.type ||
+ s->conf.gencrt.key.bits ||
+ s->conf.gencrt.key.curves) {
+ memprintf(err, "keyword 'keytype', 'bits' and 'curves' require"
+ " 'generate-dummy' set to 'on'\n");
+ err_code |= ERR_FATAL;
+ goto out;
+ }
+ }
+
+ if (s->conf.gencrt.on == 1) {
+ int type, bits, nid = -1;
+ char *curves;
+
+ if (!s->conf.gencrt.key.type)
+ type = EVP_PKEY_RSA;
+ else {
+ if (!strcmp(s->conf.gencrt.key.type, "RSA"))
+ type = EVP_PKEY_RSA;
+ else if (!strcmp(s->conf.gencrt.key.type, "ECDSA"))
+ type = EVP_PKEY_EC;
+ else {
+ memprintf(err, "keyword 'keytype' requires either 'RSA' or 'ECDSA'.");
+ err_code |= ERR_FATAL;
+ goto out;
+ }
+ }
+
+ /* default values: 2048 bits for RSA key, "P-384" curves for ECDSA key */
+ bits = s->conf.gencrt.key.bits ? s->conf.gencrt.key.bits : 2048;
+ curves = s->conf.gencrt.key.curves ? s->conf.gencrt.key.curves : "P-384";
+
+ if (type == EVP_PKEY_EC && (nid = curves2nid(curves)) == -1) {
+ memprintf(err, "unsupported curves '%s'.", s->conf.gencrt.key.curves);
+ err_code |= ERR_FATAL;
+ goto out;
+ }
+
+ s->data->key = ssl_gen_EVP_PKEY(type, nid, bits, err);
+ if (!s->data->key) {
+ err_code |= ERR_FATAL;
+ goto out;
+ }
+
+ s->data->cert = ssl_gen_x509(s->data->key);
+ if (!s->data->cert) {
+ memprintf(err, "Couldn't generate a keypair.");
+ err_code |= ERR_FATAL;
+ goto out;
+ }
+ }
+ else if (s->conf.acme.id && (stat(path, &sb) == -1 && errno == ENOENT)) {
+ /* if ACME is enabled and the file does not exists, generate the PEM */
ha_notice("No certificate available for '%s', generating a temporary key pair before getting the ACME certificate\n", path);
s->data->key = acme_gen_tmp_pkey();
s->data->cert = acme_gen_tmp_x509();
+
if (!s->data->key || !s->data->cert) {
memprintf(err, "Couldn't generate a temporary keypair for '%s'\n", path);
err_code |= ERR_FATAL;
goto out;
}
-
} else
#endif
{
{ "acme", offsetof(struct ckch_conf, acme.id), PARSE_TYPE_STR, ckch_conf_acme_init, },
#endif
{ "domains", offsetof(struct ckch_conf, acme.domains), PARSE_TYPE_ARRAY_SUBSTR, NULL, },
+ { "generate-dummy", offsetof(struct ckch_conf, gencrt.on), PARSE_TYPE_ONOFF, NULL, },
+ { "keytype", offsetof(struct ckch_conf, gencrt.key.type), PARSE_TYPE_STR, NULL, },
+ { "bits", offsetof(struct ckch_conf, gencrt.key.bits), PARSE_TYPE_INT, NULL, },
+ { "curves", offsetof(struct ckch_conf, gencrt.key.curves), PARSE_TYPE_STR, NULL, },
{ NULL, -1, PARSE_TYPE_STR, NULL, }
};