In fact, I am sure its a bug. I also happen to have the following certs: *.apps.mycompany.com.au *.its.apps.mycompany.com.au
If I go to sitea.its.apps.mycompany.com.au, I get the *.apps.mycompany.com.au certificate Where should I log this? From: Peter BUtler Sent: Saturday, March 28, 2015 8:00 PM To: [email protected] Subject: Re: HAProxy with multiple certificates, one of which being wild card, and the other being sub of that wildcard Hi Lukas/Cyril, I am not sure what I did during my test, but I am now unable to reproduce it, in either test or production server. I am starting to think this is a bug. Is anyone able to confirm this works as intended for them? a.. 2 certificates b.. *.mycompany.com.au (serving up secure.mycompany.com.au page) c.. www.secure.mycompany.com.au d.. on the backend its all the same content haproxy --v HA-Proxy version 1.5.11 2015/01/31 Copyright 2000-2015 Willy Tarreau [email protected] thanks -----Original Message----- From: Peter BUtler Sent: Friday, March 27, 2015 8:52 AM To: Lukas Tribus ; [email protected] Subject: Re: HAProxy with multiple certificates, one of which being wild card, and the other being sub of that wildcard thanks Lukas, I have this working now (at least on my test server). fyi, 1.5.8 didn't work with either method. 1.5.11 worked with both methods. thanks for your help. -----Original Message----- From: Lukas Tribus Sent: Sunday, March 22, 2015 9:27 PM To: Peter BUtler ; [email protected] Subject: RE: HAProxy with multiple certificates, one of which being wild card, and the other being sub of that wildcard > I have tried this change already, by renaming them alphabetically. > Didn't make any difference. It won't in 1.5.8. Only 1.5.11 respects alphabetical ordering of the certificates in a folder. Please specify them manually: crt /etc/haproxy/ssl/wildcard.mycompany.com.au.crt crt /etc/haproxy/ssl/www.secure.mycompany.com.au.crt (or vice versa, if I haven't got the problem right). > > You can read the RFC 2818, chapter "3.1. Server Identity" for more > details : > > http://tools.ietf.org/html/rfc2818#section-3.1 > > > > I think my issue is here, from your link: > E.g., *.a.com matches foo.a.com but not bar.foo.a.com > > In my case I have a cert for both: > *.a.com.au > and > bar.foo.a.com.au If those informations are correct, there is simply a bug here. The wildcard certificate should be served for secure.mycompany.com.au, not the www.secure.mycompany.com.au certificate. You are making sure that all Browsers support SNI that you test, correct (meaning no test with Internet Explorer on Windows XP)? Lukas
