Haproxy 1.5 - Usage of multiple certificates (wildcard)

ssl ssl-certificate domain-name haproxy ssl-certificate-errors

I'm running multiple apps behind Haproxy 1.5. We have a signed SSL wildcard certificate for our domains: *.mysite.com

We need now to implement 4th level domains: *.dev.mysite.com The SSL certificate set up for *.mysite.com will not work in that case. I therefore created a self signed certificate for the common name: *.dev.mysite.com

And I'm now trying to add this certificate into Haproxy. But it seems that only the first certificate for *.mysite.com is taken in consideration by Haproxy and *.dev.mysite.com doesn't seems to be interpreted.

My configuration:

frontend mainHttps
    bind *:433 ssl crt /etc/ssl/private/sites/combined.pem
    [...]

Where combined.pem contains the signed certificate for *.mysite.com and the self signed certificate for *.dev.mysite.com

Note: The behavior of Haproxy 1.5 concerning the binding of SSL certificated is different than the behavior of Haproxy 1.6 as explained here

I'm not sure if the issue is linked to Haproxy version or if the problem is linked to the usage of the wildcard certificate *.mysite.com which take over on *.dev.mysite.com

Edit: I tried to use the following syntax as well:

frontend mainHttps
    bind *:433 ssl crt /etc/ssl/private/sites/
    [...]

Where /etc/ssl/private/sites/ contains two different pem certificates. This syntax seems not to be working.


Solution 1:

I didn't found a simple solution with Haproxy 1.5, but I've applied a workaround that solved my issue as explained below using multiple load balancers. It's not ideal for sure, so my ultimate solution was to upgrade to Haproxy 1.6.

Usage of multiple load balancers:

It's the advantage of working on a HA infrastructure. I'm using a floating IP as my main entry point, which will then reach an available load balancer over Haproxy.

Therefore, I assigned a load balancer to my services that will use the *.dev.mysite.com self signed certificate.

frontend mainHttps
    bind *:433 ssl crt /etc/ssl/private/sites/dev.mysite.pem
    [...]

And I've edited the DNS records so *.dev.mysite.com is redirected to this specific load balancer now dedicated to serve my 4th level domain.

Upgrade to Haproxy 1.6:

As the workaround below is an expensive solution, you might want consider upgrading to Haproxy 1.6 that solve the issue by allowing the binding of multiple certificates:

frontend mainHttps
    bind *:433 ssl crt /etc/ssl/private/dev.mysite.pem crt /etc/ssl/private/mysite.pem
    [...]

Related

Internal Rewrite in Nginx not work, and redirected
Migrating domain from AWS Route S3 to Linode
nginx proxy forward 443
Is it bad practice to put IP addresses into SPF records instead of lookups if you are also in control of the lookedup record?
Can't access instance after setting up iptables rules
Hardware Checks after Air Conditioning Failure
Multiple redirects / rewrites within one VirtualHost group
When do Dell PowerEdge servers (R210II and R620) automatically shutdown due to over heating?
Minus degrees in server room
Why is my Xen DomU kernel using more power/heat when there is no work compared to the default kernel?
Apache PHP-FPM setup results in File not found
Provide multiple cfg files for haproxy loadbalancer