Haproxy 1.5 - Usage of multiple certificates (wildcard)
I'm running multiple apps behind Haproxy 1.5. We have a signed SSL wildcard certificate for our domains: *.mysite.com
We need now to implement 4th level domains: *.dev.mysite.com The SSL certificate set up for *.mysite.com will not work in that case. I therefore created a self signed certificate for the common name: *.dev.mysite.com
And I'm now trying to add this certificate into Haproxy. But it seems that only the first certificate for *.mysite.com is taken in consideration by Haproxy and *.dev.mysite.com doesn't seems to be interpreted.
My configuration:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/combined.pem
[...]
Where combined.pem contains the signed certificate for *.mysite.com and the self signed certificate for *.dev.mysite.com
Note: The behavior of Haproxy 1.5 concerning the binding of SSL certificated is different than the behavior of Haproxy 1.6 as explained here
I'm not sure if the issue is linked to Haproxy version or if the problem is linked to the usage of the wildcard certificate *.mysite.com which take over on *.dev.mysite.com
Edit: I tried to use the following syntax as well:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/
[...]
Where /etc/ssl/private/sites/ contains two different pem certificates. This syntax seems not to be working.
Solution 1:
I didn't found a simple solution with Haproxy 1.5, but I've applied a workaround that solved my issue as explained below using multiple load balancers. It's not ideal for sure, so my ultimate solution was to upgrade to Haproxy 1.6.
Usage of multiple load balancers:
It's the advantage of working on a HA infrastructure. I'm using a floating IP as my main entry point, which will then reach an available load balancer over Haproxy.
Therefore, I assigned a load balancer to my services that will use the *.dev.mysite.com self signed certificate.
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/dev.mysite.pem
[...]
And I've edited the DNS records so *.dev.mysite.com is redirected to this specific load balancer now dedicated to serve my 4th level domain.
Upgrade to Haproxy 1.6:
As the workaround below is an expensive solution, you might want consider upgrading to Haproxy 1.6 that solve the issue by allowing the binding of multiple certificates:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/dev.mysite.pem crt /etc/ssl/private/mysite.pem
[...]