thanks Lukas, I have this working now (at least on my test server).
fyi,
1.5.8 didn't work with either method.
1.5.11 worked with both methods.
thanks for your help.
-----Original Message-----
From: Lukas Tribus
Sent: Sunday, March 22, 2015 9:27 PM
To: Peter BUtler ; [email protected]
Subject: RE: HAProxy with multiple certificates, one of which being wild
card, and the other being sub of that wildcard
I have tried this change already, by renaming them alphabetically.
Didn't make any difference.
It won't in 1.5.8. Only 1.5.11 respects alphabetical ordering of the
certificates in a folder. Please specify them manually:
crt /etc/haproxy/ssl/wildcard.mycompany.com.au.crt crt
/etc/haproxy/ssl/www.secure.mycompany.com.au.crt
(or vice versa, if I haven't got the problem right).
> You can read the RFC 2818, chapter "3.1. Server Identity" for more
details :
> http://tools.ietf.org/html/rfc2818#section-3.1
>
I think my issue is here, from your link:
E.g., *.a.com matches foo.a.com but not bar.foo.a.com
In my case I have a cert for both:
*.a.com.au
and
bar.foo.a.com.au
If those informations are correct, there is simply a bug here.
The wildcard certificate should be served for secure.mycompany.com.au,
not the www.secure.mycompany.com.au certificate.
You are making sure that all Browsers support SNI that you test, correct
(meaning no test with Internet Explorer on Windows XP)?
Lukas
