http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#ssl-default-bind-ciphers
This states the following: There are cases where it is desirable to support multiple key types, e.g. RSA and ECDSA in the cipher suites offered to the clients. This allows clients that support EC certificates to be able to use EC ciphers, while simultaneously supporting older, RSA only clients. In order to provide this functionality, multiple PEM files, each with a different key type, are required. To associate these PEM files into a “cert bundle” that is recognized by haproxy, they must be named in the following way: All PEM files that are to be bundled must have the same base name, with a suffix indicating the key type. Currently, three suffixes are supported: rsa, dsa and ecdsa. For example, if http://www.example.com has two PEM files, an RSA file and an ECDSA file, they must be named: “example.pem.rsa” and “example.pem.ecdsa”. The first part of the filename is arbitrary; only the suffix matters. To load this bundle into haproxy, specify the base name only: Example : bind :8443 ssl crt example.pem Note that the suffix is not given to haproxy; this tells haproxy to look for a cert bundle. Haproxy will load all PEM files in the bundle at the same time to try to support multiple key types. PEM files are combined based on Common Name (CN) and Subject Alternative Name (SAN) to support SNI lookups. This means that even if you give haproxy a cert bundle, if there are no shared CN/SAN entries in the certificates in that bundle, haproxy will not be able to provide multi-cert support. I tried exactly per instructions, and haproxy will not bundle them at runtime: $ sudo haproxy -v HA-Proxy version 1.7-dev4-41d5e3a 2016/08/14 Copyright 2000-2016 Willy Tarreau I have example.pem.rsa and example.pem.ecdsa in the same directory and both are valid certs. I use example.pem in the config as instructed: Here is the error: $ sudo haproxy -f /etc/haproxy/haproxy.cfg [ALERT] 232/013138 (32073) : parsing [/etc/haproxy/haproxy.cfg:54] : ‘bind x.x.x.x:443’ : unable to load SSL private key from PEM file ‘/etc/ssl/private/example.pem’. [WARNING] 232/013138 (32073) : parsing [/etc/haproxy/haproxy.cfg:59] : a ‘redirect’ rule placed after a ‘use_backend’ rule will still be processed before. [ALERT] 232/013138 (32073) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg [ALERT] 232/013138 (32073) : Proxy ‘https-443’: no SSL certificate specified for bind ‘x.x.x.x:443’ at [/etc/haproxy/haproxy.cfg:54] (use ‘crt’). [ALERT] 232/013138 (32073) : Fatal errors found in configuration. Is there a bug in this feature? my config looks like this: frontend https-443 bind x.x.x.x:443 ssl crt /etc/ssl/private/example.pem force-tlsv12 mode http use_backend example if { ssl_fc_sni example.com } -- Joshua P. Gibson
