forgot to CC the mailing list.
thanks Cryil. > Date: Fri, 20 Mar 2015 00:47:53 +0100 > From: [email protected] > To: [email protected]; [email protected] > Subject: Re: HAProxy with multiple certificates, one of which being wild > card, and the other being sub of that wildcard > > Hi Peter, > > Le 20/03/2015 00:32, Peter Butler a écrit : > > I logged this on stackoverflow > > (http://stackoverflow.com/questions/29133477/haproxy-with-multiple-certificates-one-of-which-being-wild-card-and-the-other), > > but HAProxy usage there is pretty low. > > > > THis is my first mailing list email in years, please let me know if I > > have broken any rules. > > > > > > I have HAProxy working pretty well, I have port 80 and 443 open, TCP > > over 443 over a internal proxy. HTTPS end to end. I am serving > > certificates: *.mycompany.com.au www.secure.mycompany.com.au > > SNI does not seem to be working, as when I go to > > secure.mycompany.com.au, I keep getting the www.secure.mycompany.com.au > > certificate (and weirdly *most* browsers do not throw a error). But when > > I go to mail.mycompany.com.au I get the *.mycompany.com.au certificate > > correctly. > > Indeed, keep in mind that a wildcard certificate works only for > subdomains, not sub-subdomains. this is fine, and as mentioned its working great for my other wild card certs, but the difference is they do not have a specific.sub-which-is-the-same-as-a-wildcard.mycompany.com.au (am I believe the blod part is my issue here. > > So www.secure.mycompany.com.au won't match the "*.mycompany.com.au" > wildcard certificate. As no certificate matches the hostname, the first > one loaded is applied. I guess that in your SSL directory, the > certificate file for "secure.mycompany.com.au" is listed first. I have tried this change already, by renaming them alphabetically. Didn't make any difference. > > You can read the RFC 2818, chapter "3.1. Server Identity" for more details : > http://tools.ietf.org/html/rfc2818#section-3.1 > I think my issue is here, from your link: E.g., *.a.com matches foo.a.com but not bar.foo.a.com In my case I have a cert for both: *.a.com.au and bar.foo.a.com.au > > > If I remove the www.secure.mycompany.com.au cert from the SSL directory, > > and I browse to secure.mycompany.com.au I get the correct certificate, > > but of course when I go to www.secure.mycompany.com.au, I get a error on > > the browser, as it tries to give me *.mycompany.com.au certificate. > > It tends to confirm this : the wildcard still doesn't match, and the > first certificate is applied (which in this case is by chance the > wildcard). I you insert a fake certificate before the wildcard, I'm sure > it will be this one that will match. > > > Can anyone see what I am doing wrong please. > > > > |By the way, I also have a *.abc.def.mycompany.com.au and > > *.def.mycompany.com.au in this same config (removed from below, but in same > > syntax). and they are working perfect.| > > > > || > > > > |haproxy -version > > HA-Proxy version 1.5.8 2014/10/31 > > Copyright 2000-2014 Willy Tarreau <[email protected]> > > > > > > > > > > ##################################################################################| > > > > |##################################################################################| > > > > |################################################################################## > > global > > daemon > > user haproxy > > group haproxy > > log /dev/log local0 info > > log /dev/log local0 notice > > ulimit-n 20000 > > pidfile /var/run/haproxy.pid > > tune.ssl.default-dh-param 2048 > > > > ################################################################################## > > > > ## Port80 is open only to forward all requests to port 443. > > frontend unsecure 123.123.123.155:80 #Prod > > bind 192.168.14.155:80 #Prod > > mode http > > redirect scheme https code 301 if !{ ssl_fc } > > > > ################################################################################## > > > > ##Listen on 443, and forward to internal proxy on 88. Needed for SSL end to > > end. > > listen ssl-proxy > > ##Only accept mycompany host headers > > http-request deny if !{ hdr_end(Host) -i mycompany.com.au } !{ > > hdr_end(Host) -i www.secure.mycompany.com.au } > > > > # Get Certificates from SSL directory. > > bind 123.123.123.155:443 ssl crt /etc/haproxy/ssl npn http/1.1 ciphers > > ECDHE-RSA-AES256-SHA:RC4-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM no-sslv3 > > bind 192.168.14.155:443 ssl crt /etc/haproxy/ssl npn http/1.1 ciphers > > ECDHE-RSA-AES256-SHA:RC4-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM no-sslv3 > > > > mode tcp > > server http 127.0.0.1:88 send-proxy > > > > ################################################################################## > > > > frontend internal_proxy > > mode http > > bind 127.0.0.1:88 accept-proxy name accept-sslproxy > > bind-process 1 > > > > acl is_secure_mycompany_com_au hdr_end(host) -i www.secure.mycompany.com.au > > acl is_secure_mycompany_com_au hdr_end(host) -i secure.mycompany.com.au > > use_backend https_secure_mycompany_com_au if is_secure_mycompany_com_au > > > > acl is_mail_mycompany_com_au hdr_end(host) -i mail.mycompany.com.au > > use_backend https_mail_mycompany_com_au if is_mail_mycompany_com_au > > > > default_backend nomatch > > > > ################################################################################## > > backend https_secure_mycompany_com_au > > mode http > > option tcp-check > > server web-01 192.168.14.50:443 check ssl verify none > > > > backend https_mail_mycompany_com_au > > mode http > > option tcp-check > > server web-02 192.168.14.51:443 check ssl verify none > > > > backend nomatch > > mode http > > errorfile 503 /etc/haproxy/errors/503.http| > > > > || > > > > |##################################################################################| > > > > |##################################################################################| > > > > |##################################################################################| > > > > || > > > > | > > > > > > By the way, on the backend I just redirect all > > www.secure.mycompany.com.au to secure.mycompany.com.au (it was a old > > marketing mistake). But I still need it there for now for history > > > > > > | > > > > > -- > Cyril Bonté >
