Hello,
Am 20.04.2017 um 15:05 schrieb Sander Hoentjen:
A new patch, that puts the order like this:
config:
crt A crt B
[...]
If A contains wildcard, and B contains exact match, then wildcard is used.
This last one is different behavior from what is implemented now.
People rely on the specific current behavior you are changing already.
We made it clear that exact matches always take precedence; inverting
the behavior fixes your single use-case but breaks many others.
My opinion about your use-case is that your provisioning layer has to
handle this and remove, if necessary, any more specific and unwanted
lets-encrypt certificates.
Maybe the crt-list [1] feature can be an alternative, otherwise, what
you'd need from haproxy would be a multi-layered approach, with
certificate "weights", which I don't believe makes sense to implement
(but should be abstracted into provisioning tools).
Regards,
Lukas
[1]
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt-list
