Sorry for responding in the wrong thread, somehow I'm seeing two threads
for this (and another) message. Not sure if it's gmail or the list that's
duplicating threads today.

-Bryan



On Fri, Jun 13, 2014 at 10:48 AM, Bryan Talbot <[email protected]>
wrote:

> On Fri, Jun 13, 2014 at 1:08 AM, kiorky <[email protected]> wrote:
>
>>  just forgot to include the version: HA-Proxy version 1.5-dev25-a339395
>> 2014/05/10
>>
>> On 13/06/2014 10:04, kiorky wrote:
>>
>> Hi we use here a generator for haproxy configs and this one generates
>> amongst all https frontend using SNI to redirect to endspoints.
>> Basically, we host lot of VMS and the host is NATing/redirecting every
>> served domain to the underlying VM and when we use https.
>> In other words, it terminates SSL on the haproxy front and we are using a
>> certicate per VM.
>> Technically, this was as simple as adding a crt <crt> for each vm...
>> This setup worked fine and without a glitch for a time, but it's falling
>> on one host as the generated bind line  seems to be too long:
>>
>> bind *:443 ssl crt /etc/ssl/cloud/certs/ovh-r5-2.this-company.net.crt crt
>> /etc/ssl/cloud/certs/prod-appapp1.this-company.net.crt crt
>> /etc/ssl/cloud/certs/appapp1.this-company.net.crt crt
>> /etc/ssl/cloud/certs/prod-somethelse.this-company.net.crt crt
>> /etc/ssl/cloud/certs/someth-else.be.crt crt
>> /etc/ssl/cloud/certs/someth-else.com.crt crt
>> /etc/ssl/cloud/certs/someth-else.eu.crt crt
>> /etc/ssl/cloud/certs/someth-else.fr.crt crt
>> /etc/ssl/cloud/certs/someth-else.mobi.crt crt
>> /etc/ssl/cloud/certs/someth-else.net.crt crt
>> /etc/ssl/cloud/certs/someth-else.org.crt crt
>> /etc/ssl/cloud/certs/somethelse.be.crt crt
>> /etc/ssl/cloud/certs/somethelse.com.crt crt
>> /etc/ssl/cloud/certs/somethelse.eu.crt crt
>> /etc/ssl/cloud/certs/somethelse.fr.crt crt
>> /etc/ssl/cloud/certs/somethelse.mobi.crt crt
>> /etc/ssl/cloud/certs/somethelse.net.crt crt
>> /etc/ssl/cloud/certs/somethelse.org.crt crt
>> /etc/ssl/cloud/certs/e-cov.somethelse.net.crt crt
>> /etc/ssl/cloud/certs/appappapp3.somethelse.net.crt crt
>> /etc/ssl/cloud/certs/www.someth-else.be.crt crt
>> /etc/ssl/cloud/certs/www.someth-else.com.crt crt
>> /etc/ssl/cloud/certs/www.someth-else.eu.crt crt
>> /etc/ssl/cloud/certs/www.someth-else.fr.crt crt
>> /etc/ssl/cloud/certs/www.someth-else.mobi.crt crt
>> /etc/ssl/cloud/certs/www.someth-else.org.crt crt
>> /etc/ssl/cloud/certs/www.somethelse.be.crt crt
>> /etc/ssl/cloud/certs/www.somethelse.com.crt crt
>> /etc/ssl/cloud/certs/www.somethelse.eu.crt crt
>> /etc/ssl/cloud/certs/www.somethelse.fr.crt crt
>> /etc/ssl/cloud/certs/www.somethelse.mobi.crt crt
>> /etc/ssl/cloud/certs/www.somethelse.net.crt crt
>> /etc/ssl/cloud/certs/www.somethelse.org.crt crt
>> /etc/ssl/cloud/certs/www2.somethelse.com.crt crt
>> /etc/ssl/cloud/certs/www2.somethelse.eu.crt crt
>> /etc/ssl/cloud/certs/www2.somethelse.fr.crt crt
>> /etc/ssl/cloud/certs/www2.somethelse.net.crt crt
>> /etc/ssl/cloud/certs/www2.somethelse.org.crt crt
>> /etc/ssl/cloud/certs/prod-appapp4.this-company.net.crt crt
>> /etc/ssl/cloud/certs/appapp4.this-company.net.crt
>>
>> (this line is edited but is as long as the original one)
>>
>> This is how haproxy complains at restart:
>>
>> [ALERT] 163/095929 (3094) : parsing
>> [/etc/haproxy/extra/cloudcontroller.cfg:180]: line too long, truncating at
>> word 65, position 1438:  ...
>> [ALERT] 163/095929 (3094) : parsing
>> [/etc/haproxy/extra/cloudcontroller.cfg:180] : 'bind *:443' : 'crt' :
>> missing certificate location
>> [ALERT] 163/095929 (3094) : Error(s) found in configuration file :
>> /etc/haproxy/extra/cloudcontroller.cfg
>>
>>
>> As it first truncates the bind content, it then without surprises fails
>> to load.
>>
>> Is this affordable just to increase the bind argument size limit, maybe
>> to something enoughly large that no one can reach this limit ?
>>
>>
>
> I think the usual way to handle that is to just specify the directory in
> "crt" and let haproxy load all the certs from that location.
>
> If you want to have a default certificate used when no SNI is provided or
> when SNI is provided but a cert is not found for it, then name the default
> cert using "crt" and then load the read with "crt
> /etc/haproxy/cloud/certs/".
>
> The crt-list option might be interesting for you as well.
>
> -Bryan
>
>
>

Reply via email to