From aa8fcc4692b8c2afda455199a694067fea9e9262 Mon Sep 17 00:00:00 2001 From: Joao Morais Date: Tue, 24 Nov 2020 08:24:30 -0300 Subject: [PATCH] DOC: better describes how to configure a fallback crt A default certificate is always the first one declared in the bind line, either from `crt` or from `crt-line` option. This commit updates the description of how to configure a fallback certificate, clarifying that it needs to be the first one of the bind line. Should be merged as far as the first SNI filter implementation. --- doc/configuration.txt | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index ab49c68..b24c61b 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -12624,13 +12624,14 @@ crt-list Empty lines as well as lines beginning with a hash ('#') will be ignored. - The first valid line declares the default certificate, which haproxy should - use in the TLS handshake if no other certificate matches, just like the crt - bind option. This certificate will also be used if the provided SNI matches - its CN or SAN, even if a matching SNI filter is declared later. The SNI filter - !* can be used after the first certificate to not include its CN and SAN in - the SNI tree, so it will never match except if no other certificate matches. - This way the first declared certificate act as a fallback. + The first declared certificate of a bind line is used as the default + certificate, either from crt or crt-list option, which haproxy should use in + the TLS handshake if no other certificate matches. This certificate will also + be used if the provided SNI matches its CN or SAN, even if a matching SNI + filter is found on any crt-list. The SNI filter !* can be used after the first + declared certificate to not include its CN and SAN in the SNI tree, so it will + never match except if no other certificate matches. This way the first + declared certificate act as a fallback. crt-list file example: cert1.pem !* -- 1.7.10.4