Hi!
From the (1.6) configuration documentation I understand that for the “crt” bind
option all files in a directory will be read in alphabetical order (exclusions
through reserved extensions notwithstanding).
It goes on to say
> The certificates will be presented to clients who provide a
> valid TLS Server Name Indication field matching one of their CN or alt
> subjects. Wildcards are supported, where a wildcard character '*' is used
> instead of the first hostname component […]
I am wondering what the precedence is if there are two certificates matching a
particular domain.
Say I have two certificates available, one wildcard, and one Extended
Validation cert, named like this:
cert_001.wildcard.mydomain.com.pem
cert_002.www.mydomain.crt.pem
and a configuration like this
> frontend web_ssl-sni-based
> bind 192.168.205.7:452 ssl crt /etc/haproxy/ssl/
Am I correct to assume (unfortunately I cannot try this out right now) that if
a request comes in for “www.mydomain.com” it will get served with the wildcard
certificate, because that one sorts first by filename? Or is there some
precedence implementation that would prefer the more specific cert where the
domain actually matches one of the the CN / SAN fields?
Thanks,
Daniel
--
Daniel Schneller
Principal Cloud Engineer
CenterDevice GmbH | Hochstraße 11
| 42697 Solingen
tel: +49 1754155711 | Deutschland
[email protected] | www.centerdevice.de
Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431
