Hi, On Sat, Nov 19, 2022 at 05:45:43PM +0100, William Edwards wrote: > Hello, > > When multiple SSL certificates exist for a given domain, which one does > HAProxy pick? > > I'm specifically interested in knowing what happens when: > > - Multiple certificates with the exact same set of common names exist
The SNI and CN are registered in a tree and the match will depend on the declaration order. But using this order is not convenient in some cases, instead you could use the crt-list keyword that let you redefine which certificate should serve which SNI/CN. > - A more specific certificate exists, e.g. one wildcard certificate > (*.example.com) and one covering only a subdomain (foo.example.com) It first look for an exact match, then look for a wildcard. In case of a crt-list it also look for a negative entry. For example your could have in your crt-list: cert1.pem *.example.com !foo2.example.com !foo3.example.com cert2.pem foo2.example.com cert3.pem foo3.example.com > ... and if the order of .pem files matters in a `crt` directory. > They are registered in alphabetical order so it does. > I am unable to find this in the documentation. But I'm pretty sure I've > seen it in there before... > Regards, -- William Lallemand
