Does haproxy automatically select a valid certificate?

tasavi · November 6, 2018, 7:13am

haproxy.cfg

ssl crt / etc / haproxy / ssl / certs /

==========================

/etc/haproxy/ssl/certs/1.cert.pem
/etc/haproxy/ssl/certs/2.cert.pem

1.cert.pem (example.com)
notBefore = Sep 1 06:23:03 2016 GMT
notAfter = Nov 14 07:38:54 2018 GMT

2.cert.pem (example.com)
notBefore = Oct 29 09:15:10 2018 GMT
notAfter = Dec 14 07:38:54 2020 GMT

==========================

There are two certificates for the same domain as above.
I wonder if certificate # 2 is automatically answered when certificate # 1 expires.

I know I only need to use certificate # 2 for renewal, but I want to know how haproxy works under those conditions.

Please answer. Thanks.

lukastribus · November 6, 2018, 10:42am

Certificates are loaded in alphabetical order and the certificate dates are not considered, so whatever the current date, haproxy would always use 1.cert.pem for that specific domain in that example. Only the actual domain names are considered for selection, not the date.

tasavi · November 6, 2018, 11:12am

The behavior was not what I expected, but thank you for confirming it correctly.

Topic		Replies	Views
Haproxy SSL old cert is visible Help!	4	1962	September 11, 2020
HAProxy using old Cert File Help!	11	8856	May 5, 2018
Is "verify none" working for an expired certificate? Help!	2	1510	April 30, 2019
Randomly issuing the wrong certificate Help!	1	1536	July 17, 2018
Renewed SSL Certificate Help!	1	2149	November 4, 2017

Does haproxy automatically select a valid certificate?

Related topics