Why browser is always showing certificate of only one server even if multiple certificates are configured in HAProxy?
There is no load balancing in the certificates HAproxy offers.
The front-end always presents the best certificate for the hostname used in the SNI handshake. The best certificate is the one where the CN
or a SAN
entry in one of the certificates matches the URI used in the request and if no such match can be made, the default certificate is used.
The option crt-list
uses the first entry as the default certificate.
Also the certificate presented at the front-end bears no relation to which back-end server HAProxy connects.
Unless your load balancer operates at the TCP/IP level and only forwards the connection, the load balancer is the man in the middle; the client connects to the load balancer and the load balancer makes its own new connection to the backend to forward the request
From the manual:
The first declared certificate of a bind line is used as the default certificate, either from
crt
orcrt-list
option, which haproxy should use in the TLS handshake if no other certificate matches. This certificate will also be used if the provided SNI matches its CN or SAN, even if a matching SNI filter is found on any crt-list. The SNI filter !* can be used after the first declared certificate to not include its CN and SAN in the SNI tree, so it will never match except if no other certificate matches. This way the first declared certificate act as a fallback