This works (SNI is set to private.auricsystems.com and the returned certificate is validated against the hostname private.auricsystems.com):
server test private.auricsystems.com:443 ssl sni str(private.auricsystems.com) verifyhost private.auricsystems.com ca-file </etc/ca-file>
Haproxy refuses to connect if the hostname is something else:
server test private.auricsystems.com:443 ssl sni str(private.auricsystems.com) verifyhost mail.com ca-file </etc/ca-file>
But you are right about one thing: the health check actually does not send SNI to the server, and that is probably the issue here.