Hello!
I have a question/problem regarding certificate selection when there are multiple certificates with overlapping SAN-s (in strict-sni mode).
The certificate directory (crt /path) contains multiple certificates; for example:
A.pem — domains example.com, *.example.com
B.pem — domains another-domain.com, test.example.com
C.pem — domains third-domain.com, test.example.com
An incoming request with the SNI “test.example.com” would match either cert A, B or C (B and C have the exact domain, A has it as a wildcard).
How does haproxy determine which certificate will be sent? Is an exact match (without a wildcard) always preferred? Or is it random (or depends on certificate filename alphabetical ordering)?
Is there a configuration option to always prefer certificate A, if it matches the sent SNI (“test.example.com”)?
My example above only lists certs A+B+C, but in reality there are many more, and everything except cert A is dynamically changing, so they can’t be hard-coded in the configuration without extra trouble.
It seems that crt-list might be the thing I need, but I can’t really understand the documentation.
Basically, I want to specify “always use cert A if it matches the request SNI in any way, and fallback to other certificates only if it doesn’t match.” Can this be done?
3 posts - 2 participants