Clarify that HAProxy duplicates crt-list entries for multi-cert bundles
which can create unexpected side-effects as only the very first
certificate after duplication is considered as default implicitly.
---
doc/configuration.txt | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 4dfd53bc24..e8042d78f4 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -16554,12 +16554,22 @@ crt-list <file>
configuration, the default certificates could be explicited (with a '*'
filter) at the beginning of the list, so an implicit default is not added
before.
+ Due to multi-cert bundles being duplicated for each algorithm in the
+ crt-list, only one algorithm will occupy the first line in the crt-list and
+ be considered as default. Either specify the entire bundle as default by
+ declaring '*' as the filter or setting it on the bind line.
The "show ssl sni" command on the stats socket could be used to debug your
configuration. (See "show ssl sni" in the management guide)
- Example:
- # comment
+ Example: Provided crt-list.
+ default.pem *
+ cert2.pem [alpn h2,http/1.1]
+ certW.pem *.domain.tld !secure.domain.tld
+ certS.pem [curves X25519:P-256 ciphers ECDHE-ECDSA-AES256-GCM-SHA384]
secure.domain.tld
+ foo.crt [key bar.pem ocsp foo.ocsp ocsp-update on] foo.bar.com
+
+ Example: Output of "show ssl sni".
default.pem.rsa *
default.pem.ecdsa *
cert2.pem [alpn h2,http/1.1]
--
2.50.0
