Hi Kevin, On Mon, Jul 24, 2017 at 04:00:04PM -0700, Kevin McArthur wrote: > To replicate my results: > > Generate 3 ssl certificates (letsenc? I used a dns-01 challenge...).. > > default.example.ca > working.example.ca > should-be-broken.example.ca > > Configure an apache instance to serve only the first two via https. > default.example.ca and working.example.ca; don't configure any virtualhost > for should-be-broken.example.ca. > > Configure the haproxy instance with all 3 certificates in the haproxy format > with the intermediates and private keys included in a single file. Name the > files like default.example.ca.pem, working.example.ca.pem, > should-be-broken.example.ca.pem and toss em in /etc/haproxy/certs... > > Install the ca-certificates package if you're on debian/ubuntu (otherwise > adjust the ca-certificates location to whatever distro you're running)... > > Then: > > haproxy.cfg: > > frontend www-https > bind :::443 v4v6 ssl crt /etc/haproxy/certs/default.example.ca.pem crt > /etc/haproxy/certs/ > use_backend www-backend-https > > backend www-backend-https > server app default.example.ca:443 ssl verify required sni ssl_fc_sni > ca-file /etc/ssl/certs/ca-certificates.crt check check-ssl > > If you visit https://should-be-broken.example.ca you will get the page for > default.example.ca, but the browser/visitor will show the > should-be-broken.example.ca cert from the haproxy and the page will appear > secure, despite the backend apache instance having no access to > should-be-broken's virtual host or certificate and serving a certificate for > default.example.ca to the haproxy.
Thanks, I'll retry it. I'm surprized because what you describe here is *exactly* what I did and it worked fine for me, I remember getting a 503 when connecting with the wrong name. But obviously there must be a difference so I'll try to find it. Willy