From 5ae6bfcd9378d8b393e20f9c58f8756e101be5a9 Mon Sep 17 00:00:00 2001 From: Joao Morais Date: Tue, 24 Nov 2020 08:24:30 -0300 Subject: [PATCH] DOC: better describes how to configure a fallback crt A default certificate is always the first one declared in the bind line, either from `crt` or from `crt-line` option. This commit updates the description of how to configure a fallback certificate, clarifying that it needs to be the first one of the bind line. Should be merged as far as the first SNI filter implementation. (cherry picked from commit aa8fcc4692b8c2afda455199a694067fea9e9262) Signed-off-by: Christopher Faulet --- doc/configuration.txt | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 609257a..70e0151 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -12611,13 +12611,14 @@ crt-list Empty lines as well as lines beginning with a hash ('#') will be ignored. - The first valid line declares the default certificate, which haproxy should - use in the TLS handshake if no other certificate matches, just like the crt - bind option. This certificate will also be used if the provided SNI matches - its CN or SAN, even if a matching SNI filter is declared later. The SNI filter - !* can be used after the first certificate to not include its CN and SAN in - the SNI tree, so it will never match except if no other certificate matches. - This way the first declared certificate act as a fallback. + The first declared certificate of a bind line is used as the default + certificate, either from crt or crt-list option, which haproxy should use in + the TLS handshake if no other certificate matches. This certificate will also + be used if the provided SNI matches its CN or SAN, even if a matching SNI + filter is found on any crt-list. The SNI filter !* can be used after the first + declared certificate to not include its CN and SAN in the SNI tree, so it will + never match except if no other certificate matches. This way the first + declared certificate act as a fallback. crt-list file example: cert1.pem !* -- 1.7.10.4