On Thu Jun 26, 2025 at 4:08 PM CEST, Maximilian Moehl wrote: > Clarify that HAProxy duplicates crt-list entries for multi-cert bundles > which can create unexpected side-effects as only the very first > certificate after duplication is considered as default implicitly. > --- > doc/configuration.txt | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/doc/configuration.txt b/doc/configuration.txt > index 4dfd53bc24..76af2ba659 100644 > --- a/doc/configuration.txt > +++ b/doc/configuration.txt > @@ -16554,6 +16554,10 @@ crt-list <file> > configuration, the default certificates could be explicited (with a '*' > filter) at the beginning of the list, so an implicit default is not added > before. > + Due to multi-cert bundles being duplicated for each algorithm in the > + crt-list, only one algorithm will occupy the first line in the crt-list > and > + be considered as default. Either specify the entire bundle as default by > + declaring '*' as the filter or setting it on the bind line. > > The "show ssl sni" command on the stats socket could be used to debug > your > configuration. (See "show ssl sni" in the management guide)
Thanks for the feedback! I've adjust the patch to only include the first section. I hope I did this right, this is the first time I'm sending patches via email :) -- Max
