A new patch, that puts the order like this: config: crt A crt B if A contains wildcard, but not exact match, then wildcard is used. if A contains exact match, exact match is used. (this also means that if A contains both wildcard and exact match, exact match is used.) If A contains wildcard, and B contains exact match, then wildcard is used.
This last one is different behavior from what is implemented now. On 04/18/2017 12:09 PM, Sander Hoentjen wrote: > > On 04/18/2017 11:52 AM, Willy Tarreau wrote: >> Hi Daniel, >> >> On Tue, Apr 18, 2017 at 11:25:43AM +0200, Daniel Schneller wrote: >>> Hi! >>> >>> Not being very familiar with the code, so I thought I'd ask before something >>> changes unexpectedly :) >>> I asked about certificate ordering a while ago, too, and I seem to remember >>> (and we currently rely on this) that exact domain matches are "weighted >>> higher" than wildcard matches on purpose, so that if I just dump the >>> certificates in a directory, it will pick a more specific one over a >>> wildcard >>> that is also there as a "catchall". >>> >>> Not saying one or the other is right or wrong, but if this should be merged, >>> it must be made very clear that people might have to change their setups. >> FQDN matches always have precedence over wildcards (fortunately). Sander, >> I'm a bit surprized by your motivation for this change. You always want >> foo.example.com to have precedence over *.example.com and this is not a >> matter of directory. By changing this you'd silently break some certs by >> presenting the wrong one (the wildcard one) instead of the fully qualified >> name. If you have any reason for wanting to do that anyway, I think this >> is the wrong approach and you should instead refuse to load domain certs >> when they conflict with a wildcard, or at least emit a warning indicating >> that there's overlapping. But that still seems very strange to me :-/ > Hi Willy, > > In our case we always request Let's Encrypt certificates for all our > customers. We put those in a directory that is loaded last. When a > customer buys a certificate himself this certificate is put in a > directory that is loaded before the Let's Encrypt ones. If a customer > has bought a certificate he always wants that certificate to be used, > even if it is a wildcard. If and when a customer removes his own cert, > he will always still have working SSL. > > Regards, > Sander >
