Invalid certificate with multiple domains

Help!
1

I have some troubles with the support of two distinct domains.
All is fine with one domain but adding a second domain give me strange errors.
one time out of 10 (approximately), the browser gives me a certificate error SSL_ERROR_BAD_CERT_DOMAIN because the 2nd certificat is presented.
Even stranger, if I point to this server with a fictitious URL (not matched by haproxy), I get the certificate error.
What’s wrong ?

peers mypeers
    peer phoenix1 a.b.c.69:10000
    peer phoenix2 a.b.c.79:10000
    peer phoenix3 a.b.c.182:10000
global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000

backend tomcat_servers
   mode http
   stick-table type ipv6  size 1m  expire 24h peers mypeers
   stick on src
    balance roundrobin
   filter compression
   compression algo gzip
   compression type text/css text/html text/javascript application/javascript text/plain text/xml application/json
   compression offload
    option httpchk HEAD /
    default-server check maxconn 600
    option forwardfor

frontend phoenix.domain1.com
    bind :::80 v4v6
    bind :::443 v4v6 ssl crt /etc/haproxy/certs/phoenix.txt
    http-request redirect scheme https unless { ssl_fc }
    default_backend tomcat_servers
    
frontend cbc.domain2.com
    bind :::80 v4v6
    bind :::443 v4v6 ssl crt /etc/haproxy/certs/cbc.txt
    http-request redirect scheme https unless { ssl_fc }
    default_backend tomcat_servers
2

the syntax of the frontend was not correct.
I have corrected with

frontend foo
bind :::80 v4v6
bind :::443 v4v6 ssl crt /etc/haproxy/certs/phoenix.txt crt /etc/haproxy/certs/cbc.txt
http-request redirect scheme https unless { ssl_fc }
default_backend tomcat_servers

1 Like