On Fri, 2 Mar 2018, at 01:40, Lukas Tribus wrote: > On 2 March 2018 at 01:09, Dave Cottlehuber <[email protected]> wrote: > > I have 2 TLS cert bundles that I'd like to serve off haproxy, using a > > single IP. Both certs have multiple SANs in them. > > Yes. You don't need TCP mode and manual SNI matching at all. Haproxy > will do all those things for your automatically. The article is > specifically about content switching TCP payload based on SNI, but > that's not you usecase (not of you want a simple and build-in > solution). > > The point is: you can specify multiple certificate or even directories > with the "crt" keyword.
Thanks Lukas this indeed works and is much simpler. FWIW I had this config previously and it wasn't working; I'd assumed my haproxy config was incorrect but in fact one of the TLS certs had an incorrect intermediate certificate, once that's fixed I can revert to the expected setup. A+ Dave
