MEDIUM: protect from deleting ssl certs still in use

Author: aiharos

e2e/tests/storage_ssl_certificates/3.pem

@@ -0,0 +1,79 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/ZGXoEmYgWL2m
+nd41cr1kRSPISmWw12o8vdGZP2OLoL8E2X8IFF6mIyNxakdhOYILBADGArCiNzYp
+f0XpxO0LsOWC8m7lckF+Dyyh7TSmQ5TcxxT8Bf5JxvZEAwM09FIZooVDy0vJeo3g
+xC08MIqtTaZbstyuRLKkigu75QWnun+qhgcxV9IMN8s/Ee6X5wFsneCvLHFgzELS
+9gcephLieBEfPLDpDh8mGnUgvEmyBJjDRz6cFYOEvsqW0D+6krUDe3ELnV20TFeY
+CrvBPZ+ZHFZWoSjE3ainpQHd9w0Kx4w0SIrYAs2AOC1qakkrh5QjFiky30DpJ6EU
+yg/eltW5AgMBAAECggEARk1RpXpEqzMNjstEWSupZ9CBwUuaqOenrWIoQHtpTFui
+btyZbdVVov8bQMjCKXNfUj6JLjLEwQE40uteOe1NCVNUKtJ0a7GZXv2h7mTcRwph
+/urdyWlGK8F6qibVIblxAtuQygM99mcfAGXvG8HU3q28IsjDiPvRBuFyR/VrK12R
+AY/cU5kADrRwLeswT8Clw7DhNhWEMcvAuS0R8liyXhQ8IG4WOZYIkBF3NI+GB3X+
+PE4SFZfk2CvbGSth1vvVKv7TAVczw81Ek6FJXV6A/XP3mFjuDqDU0NbEL4QQds2z
+S/0JpEzx5LurN/UEIAyf/u+iEtPc56oUdAXJpHfWFQKBgQD86aOJDADg9F3HAdvG
+Xkh60B6PZ63r6iw6wCsJD2olOl+XF7GdGXKGzCZQsz2fob1E4zhb8kduHNEPeBG7
+x5WyS7fqycRyz3oEyozz9KLcggfOU+yyuQ2kn/1O51/aiABlkinyj7ed/FL9jqeE
+LdUM6194QEPgQnghjYMj6UcHpwKBgQDBuoFsgmA1OvtuSpijnZ/0ueI9Lkh8Quk2
+HusTKglP4KnuRCKm60PRXxxsFNxQgxuXhxEgBuMwJo1RO+CLjzh540pFnAN235QZ
+F2FKio5hQT7olo8Weu6IEbLE5nzTDEcnuKZrmqEGFlsUXLBW3zYgn1PorWDRMvv6
+m+T4+NDjnwKBgDbKjwlDtnUFu8M/XdON3Xnt2JEMzxsK8mYP98LQuhgymz7qfSoh
+tzQIykw1aKZKrexcpXsV8++hApGtW3oo9P9ZdBDDgXG2DSM4lmzLlPTcnsBOYjsd
+6BzAJGqRqax4Rk266qeIBymM3pXb7+Ks4zkXTOmKUqok/E2YkM6Y3TCFAoGBALg2
+jscNmkpDkb4odMhwJB/jebvPfOGcBoKOF94bRMuNyEhmxcSPReebVz13AKAWa3BE
+4QXhRrsMjahHFZffUkak2IUkey7YHs1VLBBjfEwCbL1iHSG1N4hvu9v7h4pvzGF6
+9dSwLpnJPEY6dPvGOIQAvRstcji7EFwXTT1p68flAoGANxFyWNiCC0LZ1t+4aS4j
+cA7piBgu1bfc1LtL9wBj7LeCLW942S1yCcHd/YI3KMc8ZP8MkD2eKuMOCD48JVN7
+k1Pnh+V+/Bnin1owach62ckZjgubLQfbffiGmpEo3KqP4g8h7lst6Xbja1DatJ2Q
+Ml0WvPvs/l61lp1CI36UuUA=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICoDCCAYgCAhACMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCEludGVybTIu
+MB4XDTIwMTEyNTEyMTIwNFoXDTIxMTEyNTEyMTIwNFowGDEWMBQGA1UEAwwNMS5l
+eGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9kZegS
+ZiBYvaad3jVyvWRFI8hKZbDXajy90Zk/Y4ugvwTZfwgUXqYjI3FqR2E5ggsEAMYC
+sKI3Nil/RenE7Quw5YLybuVyQX4PLKHtNKZDlNzHFPwF/knG9kQDAzT0UhmihUPL
+S8l6jeDELTwwiq1Npluy3K5EsqSKC7vlBae6f6qGBzFX0gw3yz8R7pfnAWyd4K8s
+cWDMQtL2Bx6mEuJ4ER88sOkOHyYadSC8SbIEmMNHPpwVg4S+ypbQP7qStQN7cQud
+XbRMV5gKu8E9n5kcVlahKMTdqKelAd33DQrHjDRIitgCzYA4LWpqSSuHlCMWKTLf
+QOknoRTKD96W1bkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAeeAoG3xpVfAcA2ZN
+aJA0uEB7ZH5BjhFsvmc1kEZylkEo6STVs1uTTvc9+v3PqzYANycbHy/3N0EUo5OX
+X6tfo3SMn3c8MyZu/3960Vcs1YJApdC1P3FvHj25IQGz8qLgsmION1tijg0ySPQb
+CYFXZ8T0ZYHA2X2QMieYiB9cNcmaL3Mlx04nf2Vfb+e/6kCWKkETlfSDIde9/J2M
+kVAYLGWWnwWvfRvjEaZ7SZNWslBttUTEr4PiFkvdPU01UF3VAjkcAOcDzvueGdmT
+d5Eg1BEWWmNBdT+Yg5hoy5Hx8R7H9ZcyoXnIMKCa9pOoIBIEk/hmcXj3smmjAMfO
+wTO08w==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICsTCCAZmgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v
+dC1jYTAeFw0yMDExMjUxMjEyMDRaFw0yMTExMjUxMjEyMDRaMBMxETAPBgNVBAMM
+CEludGVybTEuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0/VPbQ2O
+YERPdfjLsTn/eGu4R98iNOw3pwyOtxK5b7w/b3sheGvoA7iRdyk6TBQ6e6sGUnUj
+fImyxNnWHRNBsX6NwwYk3DvFMvVgIfYi657m+7JaPYT+TcsLF223n2mDP3PHQe4B
+etOdP81gC2c+l1cmPSduMwzi3Ze64gQ15PvyTjVcTRuVCFZIpdAZ2DLEFMviuc7O
+vnxA+DFfN5Ve5gCJIEmxEtkHtolqZbhBIVPsfz5CofjD9bPm452ibssNoZgKU030
+9h2QPzvOhJ4iN2UDto2/Mq6xemEXxhVV7GyJ5iKtlnz1TYNAVPKkzhY+J9fnG/yT
+/MOwREaq+/9AbwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQCyqfVs2oawxgymfI/Nk6aGG+EjG+aBixu9tO45hQT2mEyb5ztP49ZwFOpc
++ys1snq3gtol2r7J+Up96DJ3aF6U3OE3iDqbtfjosMmi+rQQDRK/hp6QcU5rQucY
+hDiooiuajp7bhUgEdjhDW7GbV9yT1bA9WL5urFoGE0THUKLoMV4GCRQAQsodEx+B
+yos50UBCHuSkeJWRGmR4lpyIprPJaQgC7E83FfLe5UDsP1bioDiW4RZk4sqryy/z
+VJQNGgXYnlftf6J6WOPLdzU51R21yGCRjmNP0G9Vay9Wq7WOdDqjiQjWZyXWFf6H
+bbp7qAgS2JLTieLZ3GXBg0RTi+lK
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwEzERMA8GA1UEAwwISW50
+ZXJtMS4wHhcNMjAxMTI1MTIxMjA0WhcNMjExMTI1MTIxMjA0WjATMREwDwYDVQQD
+DAhJbnRlcm0yLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKto0lJW
+e+0+6u/gxG3NNfoqHWAMiDm+Ogcv1aIUTxTK8CO6dlwLTAMDg47wXgZSE+fpwtJf
+OCV9uwUvoVrdBazPil13KTQKHkN3jV6TnrU92gJpb1uBCQwQQXvCaQeUrMNPC7h3
+lYaxAODH62B5Pl2PY/DXdaKNbsN0chOZmNl87FgtXH4/ITOqqHY/vLW4ikYbADHi
+HLZOXFFV6VK6tNm5NgbKpDeUG5I5mjilZSfxnHHJAFIrIy19wK+wyPr9X+Eyph7Z
+slYDDZ/+RRIEp3tNlaac+g+uv1CJZWdRcTb+q/fAMd/emL0ofg3XKRNtSwfDuDNh
+z7i68VKL/6Xtd3cCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
+AAOCAQEAYUwKKDKMG0ZwUJwJuqXZfCrf+95t9aeb+ALcFw7gABrdSFY9VmDQj2wW
+wl1afkV0jAREEnOtHJ0wioAhD86TUMoj99+UMEtp/r9QPH1XMClnCS0kp1M9ogCu
+PlqFamJlKhIa3xvvKSamU6G7qlbVzi2y7x/SBhK/U/FDo4bElgwG6WVXsluOQ6fT
+uUAJTqNfWcSdw2ntIGbwlbg1sco3a2JENB/5tyTSIWlwwUo6d+s2W3ZcNePWAPdr
+gEAVV1yOWsb1OVse2NRye5lH3cc+x0O1XYzWiC6G3GWYUmoPhl50fsidrd6WQIt5
++6MXQJQW+CgBnPiCdSfN58mxv49xJQ==
+-----END CERTIFICATE-----

e2e/tests/storage_ssl_certificates/4.pem

@@ -0,0 +1,79 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/ZGXoEmYgWL2m
+nd41cr1kRSPISmWw12o8vdGZP2OLoL8E2X8IFF6mIyNxakdhOYILBADGArCiNzYp
+f0XpxO0LsOWC8m7lckF+Dyyh7TSmQ5TcxxT8Bf5JxvZEAwM09FIZooVDy0vJeo3g
+xC08MIqtTaZbstyuRLKkigu75QWnun+qhgcxV9IMN8s/Ee6X5wFsneCvLHFgzELS
+9gcephLieBEfPLDpDh8mGnUgvEmyBJjDRz6cFYOEvsqW0D+6krUDe3ELnV20TFeY
+CrvBPZ+ZHFZWoSjE3ainpQHd9w0Kx4w0SIrYAs2AOC1qakkrh5QjFiky30DpJ6EU
+yg/eltW5AgMBAAECggEARk1RpXpEqzMNjstEWSupZ9CBwUuaqOenrWIoQHtpTFui
+btyZbdVVov8bQMjCKXNfUj6JLjLEwQE40uteOe1NCVNUKtJ0a7GZXv2h7mTcRwph
+/urdyWlGK8F6qibVIblxAtuQygM99mcfAGXvG8HU3q28IsjDiPvRBuFyR/VrK12R
+AY/cU5kADrRwLeswT8Clw7DhNhWEMcvAuS0R8liyXhQ8IG4WOZYIkBF3NI+GB3X+
+PE4SFZfk2CvbGSth1vvVKv7TAVczw81Ek6FJXV6A/XP3mFjuDqDU0NbEL4QQds2z
+S/0JpEzx5LurN/UEIAyf/u+iEtPc56oUdAXJpHfWFQKBgQD86aOJDADg9F3HAdvG
+Xkh60B6PZ63r6iw6wCsJD2olOl+XF7GdGXKGzCZQsz2fob1E4zhb8kduHNEPeBG7
+x5WyS7fqycRyz3oEyozz9KLcggfOU+yyuQ2kn/1O51/aiABlkinyj7ed/FL9jqeE
+LdUM6194QEPgQnghjYMj6UcHpwKBgQDBuoFsgmA1OvtuSpijnZ/0ueI9Lkh8Quk2
+HusTKglP4KnuRCKm60PRXxxsFNxQgxuXhxEgBuMwJo1RO+CLjzh540pFnAN235QZ
+F2FKio5hQT7olo8Weu6IEbLE5nzTDEcnuKZrmqEGFlsUXLBW3zYgn1PorWDRMvv6
+m+T4+NDjnwKBgDbKjwlDtnUFu8M/XdON3Xnt2JEMzxsK8mYP98LQuhgymz7qfSoh
+tzQIykw1aKZKrexcpXsV8++hApGtW3oo9P9ZdBDDgXG2DSM4lmzLlPTcnsBOYjsd
+6BzAJGqRqax4Rk266qeIBymM3pXb7+Ks4zkXTOmKUqok/E2YkM6Y3TCFAoGBALg2
+jscNmkpDkb4odMhwJB/jebvPfOGcBoKOF94bRMuNyEhmxcSPReebVz13AKAWa3BE
+4QXhRrsMjahHFZffUkak2IUkey7YHs1VLBBjfEwCbL1iHSG1N4hvu9v7h4pvzGF6
+9dSwLpnJPEY6dPvGOIQAvRstcji7EFwXTT1p68flAoGANxFyWNiCC0LZ1t+4aS4j
+cA7piBgu1bfc1LtL9wBj7LeCLW942S1yCcHd/YI3KMc8ZP8MkD2eKuMOCD48JVN7
+k1Pnh+V+/Bnin1owach62ckZjgubLQfbffiGmpEo3KqP4g8h7lst6Xbja1DatJ2Q
+Ml0WvPvs/l61lp1CI36UuUA=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICoDCCAYgCAhACMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCEludGVybTIu
+MB4XDTIwMTEyNTEyMTIwNFoXDTIxMTEyNTEyMTIwNFowGDEWMBQGA1UEAwwNMS5l
+eGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9kZegS
+ZiBYvaad3jVyvWRFI8hKZbDXajy90Zk/Y4ugvwTZfwgUXqYjI3FqR2E5ggsEAMYC
+sKI3Nil/RenE7Quw5YLybuVyQX4PLKHtNKZDlNzHFPwF/knG9kQDAzT0UhmihUPL
+S8l6jeDELTwwiq1Npluy3K5EsqSKC7vlBae6f6qGBzFX0gw3yz8R7pfnAWyd4K8s
+cWDMQtL2Bx6mEuJ4ER88sOkOHyYadSC8SbIEmMNHPpwVg4S+ypbQP7qStQN7cQud
+XbRMV5gKu8E9n5kcVlahKMTdqKelAd33DQrHjDRIitgCzYA4LWpqSSuHlCMWKTLf
+QOknoRTKD96W1bkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAeeAoG3xpVfAcA2ZN
+aJA0uEB7ZH5BjhFsvmc1kEZylkEo6STVs1uTTvc9+v3PqzYANycbHy/3N0EUo5OX
+X6tfo3SMn3c8MyZu/3960Vcs1YJApdC1P3FvHj25IQGz8qLgsmION1tijg0ySPQb
+CYFXZ8T0ZYHA2X2QMieYiB9cNcmaL3Mlx04nf2Vfb+e/6kCWKkETlfSDIde9/J2M
+kVAYLGWWnwWvfRvjEaZ7SZNWslBttUTEr4PiFkvdPU01UF3VAjkcAOcDzvueGdmT
+d5Eg1BEWWmNBdT+Yg5hoy5Hx8R7H9ZcyoXnIMKCa9pOoIBIEk/hmcXj3smmjAMfO
+wTO08w==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICsTCCAZmgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v
+dC1jYTAeFw0yMDExMjUxMjEyMDRaFw0yMTExMjUxMjEyMDRaMBMxETAPBgNVBAMM
+CEludGVybTEuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0/VPbQ2O
+YERPdfjLsTn/eGu4R98iNOw3pwyOtxK5b7w/b3sheGvoA7iRdyk6TBQ6e6sGUnUj
+fImyxNnWHRNBsX6NwwYk3DvFMvVgIfYi657m+7JaPYT+TcsLF223n2mDP3PHQe4B
+etOdP81gC2c+l1cmPSduMwzi3Ze64gQ15PvyTjVcTRuVCFZIpdAZ2DLEFMviuc7O
+vnxA+DFfN5Ve5gCJIEmxEtkHtolqZbhBIVPsfz5CofjD9bPm452ibssNoZgKU030
+9h2QPzvOhJ4iN2UDto2/Mq6xemEXxhVV7GyJ5iKtlnz1TYNAVPKkzhY+J9fnG/yT
+/MOwREaq+/9AbwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQCyqfVs2oawxgymfI/Nk6aGG+EjG+aBixu9tO45hQT2mEyb5ztP49ZwFOpc
++ys1snq3gtol2r7J+Up96DJ3aF6U3OE3iDqbtfjosMmi+rQQDRK/hp6QcU5rQucY
+hDiooiuajp7bhUgEdjhDW7GbV9yT1bA9WL5urFoGE0THUKLoMV4GCRQAQsodEx+B
+yos50UBCHuSkeJWRGmR4lpyIprPJaQgC7E83FfLe5UDsP1bioDiW4RZk4sqryy/z
+VJQNGgXYnlftf6J6WOPLdzU51R21yGCRjmNP0G9Vay9Wq7WOdDqjiQjWZyXWFf6H
+bbp7qAgS2JLTieLZ3GXBg0RTi+lK
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwEzERMA8GA1UEAwwISW50
+ZXJtMS4wHhcNMjAxMTI1MTIxMjA0WhcNMjExMTI1MTIxMjA0WjATMREwDwYDVQQD
+DAhJbnRlcm0yLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKto0lJW
+e+0+6u/gxG3NNfoqHWAMiDm+Ogcv1aIUTxTK8CO6dlwLTAMDg47wXgZSE+fpwtJf
+OCV9uwUvoVrdBazPil13KTQKHkN3jV6TnrU92gJpb1uBCQwQQXvCaQeUrMNPC7h3
+lYaxAODH62B5Pl2PY/DXdaKNbsN0chOZmNl87FgtXH4/ITOqqHY/vLW4ikYbADHi
+HLZOXFFV6VK6tNm5NgbKpDeUG5I5mjilZSfxnHHJAFIrIy19wK+wyPr9X+Eyph7Z
+slYDDZ/+RRIEp3tNlaac+g+uv1CJZWdRcTb+q/fAMd/emL0ofg3XKRNtSwfDuDNh
+z7i68VKL/6Xtd3cCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
+AAOCAQEAYUwKKDKMG0ZwUJwJuqXZfCrf+95t9aeb+ALcFw7gABrdSFY9VmDQj2wW
+wl1afkV0jAREEnOtHJ0wioAhD86TUMoj99+UMEtp/r9QPH1XMClnCS0kp1M9ogCu
+PlqFamJlKhIa3xvvKSamU6G7qlbVzi2y7x/SBhK/U/FDo4bElgwG6WVXsluOQ6fT
+uUAJTqNfWcSdw2ntIGbwlbg1sco3a2JENB/5tyTSIWlwwUo6d+s2W3ZcNePWAPdr
+gEAVV1yOWsb1OVse2NRye5lH3cc+x0O1XYzWiC6G3GWYUmoPhl50fsidrd6WQIt5
++6MXQJQW+CgBnPiCdSfN58mxv49xJQ==
+-----END CERTIFICATE-----

e2e/tests/storage_ssl_certificates/haproxy.cfg

@@ -0,0 +1,37 @@
+# _version=42
+
+global
+    log         127.0.0.1 local2
+    chroot      /var/lib/haproxy
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+    stats socket /var/lib/haproxy/stats level admin
+
+defaults
+    mode                    http
+    log                     global
+    option                  httplog
+    option                  dontlognull
+    option http-server-close
+    option forwardfor       except 127.0.0.0/8
+    option                  redispatch
+    retries                 3
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+    maxconn                 3000
+
+frontend test_storage_ssl_certificates
+  # bind *:1337 crt /etc/haproxy/ssl/4.pem
+  bind *:1337 crt /etc/haproxy/ssl/3.pem
+  default_backend test_storage_ssl_certificates
+
+backend test_storage_ssl_certificates
+  server appx 127.0.0.1:8080 check disabled
+

e2e/tests/storage_ssl_certificates/test.bats

@@ -1,6 +1,6 @@
 #!/usr/bin/env bats
 #
-# Copyright 2019 HAProxy Technologies
+# Copyright 2021 HAProxy Technologies
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

e2e/tests/storage_ssl_certificates/test_with_conf.bats

@@ -0,0 +1,55 @@
+#!/usr/bin/env bats
+#
+# Copyright 2021 HAProxy Technologies
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+load '../../libs/dataplaneapi'
+load "../../libs/get_json_path"
+load '../../libs/version'
+load '../../libs/haproxy_config_setup'
+
+@test "Refuse to delete still used ssl certificate file" {
+    run docker cp "${BATS_TEST_DIRNAME}/3.pem" "${DOCKER_CONTAINER_NAME}:/etc/haproxy/ssl/"
+    assert_success
+
+    run dpa_curl DELETE "/services/haproxy/storage/ssl_certificates/3.pem"
+    assert_success
+
+    dpa_curl_status_body_safe '$output'
+    echo -e "$output"
+    assert_equal $SC 409
+
+    assert dpa_docker_exec 'ls /etc/haproxy/ssl/3.pem'
+
+    # clean up this test
+    assert dpa_docker_exec 'rm /etc/haproxy/ssl/3.pem'
+}
+
+@test "Allow to delete ssl certificate file referenced in comments" {
+    run docker cp "${BATS_TEST_DIRNAME}/4.pem" "${DOCKER_CONTAINER_NAME}:/etc/haproxy/ssl/"
+    assert_success
+
+    run dpa_curl DELETE "/services/haproxy/storage/ssl_certificates/4.pem"
+    assert_success
+
+    dpa_curl_status_body_safe '$output'
+    echo -e "$output"
+    assert_equal $SC 204
+
+    refute dpa_docker_exec 'ls /etc/haproxy/ssl/4.pem'
+
+    # clean up this test
+    run dpa_docker_exec 'rm /etc/haproxy/ssl/4.pem'
+}

handlers/ssl_cert_storage.go

@@ -16,7 +16,10 @@
 package handlers
 
 import (
+	"bufio"
+	"fmt"
 	"path/filepath"
+	"strings"
 
 	"github.com/go-openapi/runtime"
 	"github.com/go-openapi/runtime/middleware"
@@ -79,7 +82,31 @@ type StorageDeleteStorageSSLCertificateHandlerImpl struct {
 }
 
 func (h *StorageDeleteStorageSSLCertificateHandlerImpl) Handle(params storage.DeleteStorageSSLCertificateParams, principal interface{}) middleware.Responder {
-	err := h.Client.SSLCertStorage.Delete(params.Name)
+	runningConf := strings.NewReader(h.Client.Configuration.Parser.String())
+
+	filename, err := h.Client.SSLCertStorage.Get(params.Name)
+	if err != nil {
+		e := misc.HandleError(err)
+		return storage.NewDeleteStorageSSLCertificateDefault(int(*e.Code)).WithPayload(e)
+	}
+
+	// this is far from perfect but should provide a basic level of protection
+	scanner := bufio.NewScanner(runningConf)
+
+	lineNr := 0
+
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if strings.Contains(line, filename) && !strings.HasPrefix(line, "#") {
+			errCode := misc.ErrHTTPConflict
+			errMsg := fmt.Sprintf("rejecting attempt to delete file %s referenced in haproxy conf at line %d: %s", filename, lineNr-1, line)
+			e := &models.Error{Code: &errCode, Message: &errMsg}
+			return storage.NewDeleteStorageSSLCertificateDefault(int(*e.Code)).WithPayload(e)
+		}
+		lineNr++
+	}
+
+	err = h.Client.SSLCertStorage.Delete(params.Name)
 	if err != nil {
 		e := misc.HandleError(err)
 		return storage.NewDeleteStorageSSLCertificateDefault(int(*e.Code)).WithPayload(e)