Dear all, nice to meet you (first post since a very loooong time here).
As far as I understand it, when using the crt option of bind directive with a directory as parameter, cert files from the specified directory are loaded... Well, good, that's great :) Today we faced an issue on two hosts working in active/passive mode which lead us to some cold sweat... The situation is the following: - HAProxy is used as an SSL termination to offload SSL trafic - Machine A is the master serving the requests when everything is ok - Machine B is the "slave" and takes the trafic when we failover (machine A maintenance period or crash and things like that) - On each host: exactly same configuration, and same certificate files located in the same location on each host (not a shared one but strictly identical copy). - we mainly have devices which are SNI aware but a minority of them is definitely not. When we failed over, the devices not able to do SNI began to stop working and as soon as we did a fallback these same devices came back to a working state. After some research we managed to see that: - machine A was sending a certificate cert1.tld per default - machine B was sending another certificate cert2.anotherTLD (which did not correspond to the request made and so the client silently failed and stopped sending traffic) It seems to be due to the use of readdir in the function ssl_sock_load_cert() located in src/ssl_sock.c. As readdir does not guarantee any order or at least not an alphabetical or time order, both the instance did not have the same answer although the configuration were exactly the same. We extracted part of the code used in ssl_sock_load_cert and effectively got two different answers on the two hosts: Host A listing retrieved from readdir(): cert1.tld ... cert2.anotherTLD ... Host B listing retrieved from readdir(): cert2.anotherTLD ... cert1.tld ... The documentation definitely talks about this in the section describing the "crt" option but as we are all human and not always reading the entire documentation would it be possible to emit a warning at HAProxy launch (something like the ones for the fact that the order matters for redirect and acl statements or the ones for deprecated options) in case it is detected that a directory has been passed to crt without any default cert file mentioned before? Or may be the listing of certs could be alphabetically sorted although it may break existing deployments and so may not be a good thing at all. I'm asking for that although I'm convinced one should read the doc because in such situations (active/passive configuration), HAProxy may behave differently although configured in the same way and so you can come back at home with a big headache when trying to debug such a situation ;). Did I mention that... I love HAProxy? Thank you all and see you for a beer or whatever you like, Raphaël P.S. HAProxy version 1.5.8 from debian wheezy backports
