Sorry for responding in the wrong thread, somehow I'm seeing two threads for this (and another) message. Not sure if it's gmail or the list that's duplicating threads today.
-Bryan On Fri, Jun 13, 2014 at 10:48 AM, Bryan Talbot <[email protected]> wrote: > On Fri, Jun 13, 2014 at 1:08 AM, kiorky <[email protected]> wrote: > >> just forgot to include the version: HA-Proxy version 1.5-dev25-a339395 >> 2014/05/10 >> >> On 13/06/2014 10:04, kiorky wrote: >> >> Hi we use here a generator for haproxy configs and this one generates >> amongst all https frontend using SNI to redirect to endspoints. >> Basically, we host lot of VMS and the host is NATing/redirecting every >> served domain to the underlying VM and when we use https. >> In other words, it terminates SSL on the haproxy front and we are using a >> certicate per VM. >> Technically, this was as simple as adding a crt <crt> for each vm... >> This setup worked fine and without a glitch for a time, but it's falling >> on one host as the generated bind line seems to be too long: >> >> bind *:443 ssl crt /etc/ssl/cloud/certs/ovh-r5-2.this-company.net.crt crt >> /etc/ssl/cloud/certs/prod-appapp1.this-company.net.crt crt >> /etc/ssl/cloud/certs/appapp1.this-company.net.crt crt >> /etc/ssl/cloud/certs/prod-somethelse.this-company.net.crt crt >> /etc/ssl/cloud/certs/someth-else.be.crt crt >> /etc/ssl/cloud/certs/someth-else.com.crt crt >> /etc/ssl/cloud/certs/someth-else.eu.crt crt >> /etc/ssl/cloud/certs/someth-else.fr.crt crt >> /etc/ssl/cloud/certs/someth-else.mobi.crt crt >> /etc/ssl/cloud/certs/someth-else.net.crt crt >> /etc/ssl/cloud/certs/someth-else.org.crt crt >> /etc/ssl/cloud/certs/somethelse.be.crt crt >> /etc/ssl/cloud/certs/somethelse.com.crt crt >> /etc/ssl/cloud/certs/somethelse.eu.crt crt >> /etc/ssl/cloud/certs/somethelse.fr.crt crt >> /etc/ssl/cloud/certs/somethelse.mobi.crt crt >> /etc/ssl/cloud/certs/somethelse.net.crt crt >> /etc/ssl/cloud/certs/somethelse.org.crt crt >> /etc/ssl/cloud/certs/e-cov.somethelse.net.crt crt >> /etc/ssl/cloud/certs/appappapp3.somethelse.net.crt crt >> /etc/ssl/cloud/certs/www.someth-else.be.crt crt >> /etc/ssl/cloud/certs/www.someth-else.com.crt crt >> /etc/ssl/cloud/certs/www.someth-else.eu.crt crt >> /etc/ssl/cloud/certs/www.someth-else.fr.crt crt >> /etc/ssl/cloud/certs/www.someth-else.mobi.crt crt >> /etc/ssl/cloud/certs/www.someth-else.org.crt crt >> /etc/ssl/cloud/certs/www.somethelse.be.crt crt >> /etc/ssl/cloud/certs/www.somethelse.com.crt crt >> /etc/ssl/cloud/certs/www.somethelse.eu.crt crt >> /etc/ssl/cloud/certs/www.somethelse.fr.crt crt >> /etc/ssl/cloud/certs/www.somethelse.mobi.crt crt >> /etc/ssl/cloud/certs/www.somethelse.net.crt crt >> /etc/ssl/cloud/certs/www.somethelse.org.crt crt >> /etc/ssl/cloud/certs/www2.somethelse.com.crt crt >> /etc/ssl/cloud/certs/www2.somethelse.eu.crt crt >> /etc/ssl/cloud/certs/www2.somethelse.fr.crt crt >> /etc/ssl/cloud/certs/www2.somethelse.net.crt crt >> /etc/ssl/cloud/certs/www2.somethelse.org.crt crt >> /etc/ssl/cloud/certs/prod-appapp4.this-company.net.crt crt >> /etc/ssl/cloud/certs/appapp4.this-company.net.crt >> >> (this line is edited but is as long as the original one) >> >> This is how haproxy complains at restart: >> >> [ALERT] 163/095929 (3094) : parsing >> [/etc/haproxy/extra/cloudcontroller.cfg:180]: line too long, truncating at >> word 65, position 1438: ... >> [ALERT] 163/095929 (3094) : parsing >> [/etc/haproxy/extra/cloudcontroller.cfg:180] : 'bind *:443' : 'crt' : >> missing certificate location >> [ALERT] 163/095929 (3094) : Error(s) found in configuration file : >> /etc/haproxy/extra/cloudcontroller.cfg >> >> >> As it first truncates the bind content, it then without surprises fails >> to load. >> >> Is this affordable just to increase the bind argument size limit, maybe >> to something enoughly large that no one can reach this limit ? >> >> > > I think the usual way to handle that is to just specify the directory in > "crt" and let haproxy load all the certs from that location. > > If you want to have a default certificate used when no SNI is provided or > when SNI is provided but a cert is not found for it, then name the default > cert using "crt" and then load the read with "crt > /etc/haproxy/cloud/certs/". > > The crt-list option might be interesting for you as well. > > -Bryan > > >

