I am setting up a reverse proxy that reads a collection of certificates from a directory like:
bind *:443 ssl crt /etc/haproxy/ssl/
The directory contains single domain certificates as well as SAN certificates. This is all working well, and haproxy is reading all the certificates and serving the proper one through SNI.
I would like to obtain a list of domains available through SNI as HAProxy sees it, for the sake of auditing/sanity/change control. I would also be OK with a list of valid certificates - previously we used crt-list and manually managed that file. However, I am looking for a way to automatically monitor it and detect changes, rather than update the crt-list file every time.
Is this possible? Ideally, HAProxy could do this, either through the command line or the stats page ( rather than using a script+OpenSSL, etc). It seems like it already does it in order to determine all the SNI options, I just can’t find a way to get my hands on that data.