Reference

show ssl ocsp-updates

On this page

Show the expected time of the next OCSP updates and the status of the last OCSP updates.

Description Jump to heading

Available since

  • HAProxy 2.8
  • HAProxy Enterprise 2.8r1

When OCSP is enabled, the load balancer will automatically, and on a specified interval, fetch the OCSP response for each of its configured certificates. You can view the status of past updates, as well as the expected time for the next updates, using show ssl ocsp-updates.

Examples Jump to heading

Follow these steps to view the OCSP response statuses.

  1. Use the show ssl ocsp-updates command:

    output
    text
    echo "show ssl ocsp-updates" | socat /tmp/haproxy.sock -
    OCSP Certid | Path | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str)
       303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | /etc/hapee-3.0/certs/cert.pem | 31/Oct/2023:00:08:09 +0000 | - | 0 | 1 | 2 | HTTP error
       304b300906052b0e03021a0500041448dac9a0fb2bd32d4ff0de68d2f567b735f9b3c40414142eb317b75856cbae500940e61faf9d8b14c2c6021203e16a7aa01542f291237b454a627fdea9c1 | /etc/hapee-3.0/certs/other_cert.pem | 31/Oct/2023:01:07:09 +0000 | 30/Jan/2023:00:07:09 +0000 | 1 | 0 | 1 | Update successful
       303b300906052b0e03021a05000414d59b53c6deb73f54127efecfdf004e497757fe2f0414198cc3439a028c6349aaad77c96806b66632860202021008 | /etc/hapee-3.0/certs/newcert.pem | 31/Oct/2023:18:39:12 +0000 | - | 0 | 3 | 4 | OCSP response check failure
    output
    text
    echo "show ssl ocsp-updates" | socat /tmp/haproxy.sock -
    OCSP Certid | Path | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str)
       303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | /etc/hapee-3.0/certs/cert.pem | 31/Oct/2023:00:08:09 +0000 | - | 0 | 1 | 2 | HTTP error
       304b300906052b0e03021a0500041448dac9a0fb2bd32d4ff0de68d2f567b735f9b3c40414142eb317b75856cbae500940e61faf9d8b14c2c6021203e16a7aa01542f291237b454a627fdea9c1 | /etc/hapee-3.0/certs/other_cert.pem | 31/Oct/2023:01:07:09 +0000 | 30/Jan/2023:00:07:09 +0000 | 1 | 0 | 1 | Update successful
       303b300906052b0e03021a05000414d59b53c6deb73f54127efecfdf004e497757fe2f0414198cc3439a028c6349aaad77c96806b66632860202021008 | /etc/hapee-3.0/certs/newcert.pem | 31/Oct/2023:18:39:12 +0000 | - | 0 | 3 | 4 | OCSP response check failure

    In this example there are three OCSP responses: one that was successful, and two with errors.

    The update errors and their codes are listed below:

    ID Message
    0 Unknown
    1 Update successful
    2 HTTP error
    3 Missing “ocsp-response” header
    4 OCSP response check failure
    5 Error during insertion

    If a response has the error “OCSP response check failure”, it may be that the issuer certificate is not valid. For more information about ocsp-update see: ocsp-update reference.

See also Jump to heading

Do you have any suggestions on how we can improve the content of this page?

Previous page show ssl ocsp-response Next page show ssl providers
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences