On Thu, Jun 26, 2025 at 04:14:50PM +0200, Maximilian Moehl wrote: > Subject: Re: [PATCH] DOC: config: crt-list clarify default cert + cert-bundle > On Thu Jun 26, 2025 at 4:08 PM CEST, Maximilian Moehl wrote: > > Clarify that HAProxy duplicates crt-list entries for multi-cert bundles > > which can create unexpected side-effects as only the very first > > certificate after duplication is considered as default implicitly. > > --- > > doc/configuration.txt | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/doc/configuration.txt b/doc/configuration.txt > > index 4dfd53bc24..76af2ba659 100644 > > --- a/doc/configuration.txt > > +++ b/doc/configuration.txt > > @@ -16554,6 +16554,10 @@ crt-list <file> > > configuration, the default certificates could be explicited (with a '*' > > filter) at the beginning of the list, so an implicit default is not > > added > > before. > > + Due to multi-cert bundles being duplicated for each algorithm in the > > + crt-list, only one algorithm will occupy the first line in the > > crt-list and > > + be considered as default. Either specify the entire bundle as default > > by > > + declaring '*' as the filter or setting it on the bind line. > > > > The "show ssl sni" command on the stats socket could be used to debug > > your > > configuration. (See "show ssl sni" in the management guide) > > Thanks for the feedback! I've adjust the patch to only include the > first section. > > I hope I did this right, this is the first time I'm sending patches via > email :) >
Thanks, I just merged it! I know that git-send-email could be confusing to use the first time, but you did it right :-) -- William Lallemand
