Hello Maximilian, On Tue, Jun 24, 2025 at 09:30:03AM +0200, Maximilian Moehl wrote: > Subject: [PATCH] DOC: config: crt-list clarify default cert + cert-bundle > Clarify that HAProxy duplicates crt-list entries for multi-cert bundles > which can create unexpected side-effects as only the very first > certificate after duplication is considered as default implicitly. > --- > doc/configuration.txt | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) > > diff --git a/doc/configuration.txt b/doc/configuration.txt > index 4dfd53bc24..e8042d78f4 100644 > --- a/doc/configuration.txt > +++ b/doc/configuration.txt > @@ -16554,12 +16554,22 @@ crt-list <file> > configuration, the default certificates could be explicited (with a '*' > filter) at the beginning of the list, so an implicit default is not added > before. > + Due to multi-cert bundles being duplicated for each algorithm in the > + crt-list, only one algorithm will occupy the first line in the crt-list > and > + be considered as default. Either specify the entire bundle as default by > + declaring '*' as the filter or setting it on the bind line.
That's a valid point indeed, that's one of the things that were fixed in the past on the bind lines, I think we could probably fix it in the crt-list as well in future versions. > The "show ssl sni" command on the stats socket could be used to debug > your > configuration. (See "show ssl sni" in the management guide) > > - Example: > - # comment > + Example: Provided crt-list. > + default.pem * > + cert2.pem [alpn h2,http/1.1] > + certW.pem *.domain.tld !secure.domain.tld > + certS.pem [curves X25519:P-256 ciphers > ECDHE-ECDSA-AES256-GCM-SHA384] secure.domain.tld > + foo.crt [key bar.pem ocsp foo.ocsp ocsp-update on] foo.bar.com > + I don't think that's a good idea to add a multi-cert bundle loading in the example, as I don't recommend to use this way of loading certificates anymore. > + Example: Output of "show ssl sni". I think you meant "show ssl crt-list" here > default.pem.rsa * > default.pem.ecdsa * > cert2.pem [alpn h2,http/1.1] > -- > 2.50.0 I can take the patch with only the addition to the description or you could send me a 2nd version. Regards, -- William Lallemand
