How to configure HAProxy for multiple SSL-Certificates

ssl ssl-certificate haproxy

Solution 1:

Ensure that you're running HAProxy 1.6 or higher

This question is a little old, but I ran into this exact same issue with configurations similar to the OP.

HAProxy 1.5 accepts the multiple crt syntax on a bind option; however, it uses only the first certificate when responding.

HAProxy 1.6 appears to respond with the certificate based on the caller's request. This does not appear to require any special sni ACLs in the config.

Here's an example that works on 1.6, but fails to use cert2.pem when responding to requests for place2.com on 1.5:

frontend http-in
        bind *:80
        bind *:443 ssl crt cert1.pem crt cert2.pem
        mode http

        acl common_dst hdr(Host) -m str place1.com place2.com

        use_backend be_common if common_dst

backend be_common
        # nothing special here.

Solution 2:

How are you testing which certificate haproxy is presenting? If you're using openssl s_client, be advised that it requires an additional parameter (-servername api.domain.com) in order to send the SNI information which haproxy needs to decide which certificate to present.

Related

Are VLan's used to split my switch into segments?
Does the ELB also route outbound reply traffic in AWS
How to see disk usage graph on Windows Server 2012
Copying an EBS Snapshot to S3 for low-cost storage
Using Azure AD to push Group Policy settings
In Civ5, what effects does it have if another civ is "hostile" or "fearful"?
What are the keys to a successful melee and/or unarmed build in Fallout: New Vegas?
What is the difference between the USB ports on the front/back of the XBox 360?
How to preload Cataclysm without pre-ordering it?
Why is windowed mode always slower in games?
How did Garrosh Hellscream become the new Warchief?
StarCraft2: Easy way to calculate number of harvesters