The certs overlapping because of SNI makes perfect sense. If that’s the case then I cannot use SNI redirection and will have to stick with use_backend if statements based on HDR. Which means http mode. Which means I’m back where I started.
I will not be using letsencrypt. I already have good working certificates. I just can’t use SNI switching for my HAProxy use-case. Unfortunate.
I’ve moved everything back to mode http and am terminating SSL at HAProxy. Most of the webservers are working fine. The difference is that I have a unique frontend for each individual port. Even though, for instance, ports 8443 and 443 should be treated the same (as far as HAProxy is concerned) having both ports in the same frontend caused problems.
I know that’s not particularly useful information for those that find this thread in the future hoping for a fix for TCP -> HTTP modes but it’s what’s working for me.
The few things I need to have as TCP have a dedicated frontend and backend that’s tcp only. This doesn’t achieve my end-goal of ssl termination on some http sites and ssl passthrough for others. It only allows some services through.