haproxy dynamic TLS reloads

Haproxy has a great newer feature that lets one dynamically reload TLS certificates. I explored this today because I’ve had two instances in the past few months where haproxy stopped serving for time, at midnight when the cron job that renews TLS certs kicks off. I think it’s an edge case involving web sockets with a 1 hour timeout and a handful of TLS certs all renewing in close succession. Regardless, not having to reload haproxy at all sounded attractive.

The page above has this example for sending the certificate to haproxy’s admin API:

echo -e "set ssl cert /etc/haproxy/certs/site.pem <<\n$(cat ./new_certificate.pem)\n" | socat tcp-connect:172.25.0.10:9999 -

After exploring the vagaries of echo and echo -e and staring at the output for a few too many times, I finally determined the cause of the failure. The certificate I was attempting to send has a stray newline character. ??‍♂ī¸ The solution is simple, assure your boundary character doesn’t match the data:

echo -e "set ssl cert /etc/haproxy/certs/site.pem <<\n$(grep . ./new_certificate.pem)\n" | socat tcp-connect:172.25.0.10:9999 -