Does haproxy automatically select a valid certificate?


ssl crt / etc / haproxy / ssl / certs /



1.cert.pem (
notBefore = Sep 1 06:23:03 2016 GMT
notAfter = Nov 14 07:38:54 2018 GMT

2.cert.pem (
notBefore = Oct 29 09:15:10 2018 GMT
notAfter = Dec 14 07:38:54 2020 GMT


There are two certificates for the same domain as above.
I wonder if certificate # 2 is automatically answered when certificate # 1 expires.

I know I only need to use certificate # 2 for renewal, but I want to know how haproxy works under those conditions.

Please answer. Thanks.

Certificates are loaded in alphabetical order and the certificate dates are not considered, so whatever the current date, haproxy would always use 1.cert.pem for that specific domain in that example. Only the actual domain names are considered for selection, not the date.

The behavior was not what I expected, but thank you for confirming it correctly.