On Fri, 2 Mar 2018, at 01:40, Lukas Tribus wrote:
> On 2 March 2018 at 01:09, Dave Cottlehuber <d...@skunkwerks.at> wrote:
> > I have 2 TLS cert bundles that I'd like to serve off haproxy, using a
> > single IP. Both certs have multiple SANs in them.
> Yes. You don't need TCP mode and manual SNI matching at all. Haproxy
> will do all those things for your automatically. The article is
> specifically about content switching TCP payload based on SNI, but
> that's not you usecase (not of you want a simple and build-in
> The point is: you can specify multiple certificate or even directories
> with the "crt" keyword.
this indeed works and is much simpler.
FWIW I had this config previously and it wasn't working; I'd assumed my
haproxy config was incorrect but in fact one of the TLS certs had an
incorrect intermediate certificate, once that's fixed I can revert to
the expected setup.