Randomly issuing the wrong certificate


I’m experiencing a problem using multiple certificates on the front end. I’ve tested this in multiple browsers, by refreshing several times, we randomly get the wrong certificate used. It seems that haproxy is using the first one in the list, but only randomly, sometimes it works as expected, and other times it does not.

The config is as follows:

frontend https-in
mode http
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
bind *:443 ssl crt /etc/ssl/certs/netcert.pem crt /etc/ssl/certs/couk2019.pem
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
http-response set-header X-Content-Type-Options nosniff
http-response set-header X-XSS-Protection 1;mode=block
stick-table type ip size 1m expire 10s store gpc0,http_req_rate(10s)
tcp-request connection track-sc1 src
acl source_is_abuser src_get_gpc0 gt 0
tcp-request connection reject if source_is_abuser
acl badbots hdr_reg(User-Agent) -i -f /etc/haproxy/badbots.lst
http-request deny if badbots
default_backend backend_server

So for our domain.net connection it works 100% of the time, but whenever we go to domain.co.uk for the 2nd cert in the list, it only works approximately half of the time, the other half it uses the .net certificate by mistake. I can see this in firefox as it shows the certificate that was used, I’ve also checked using openssl to connect to the site, sometimes it works, sometimes it uses the first certificate in the list.

These are wildcard certificates if that makes a difference: *.domain.net and *.domain.co.uk

Any help would be appreciated.


Maybe you got multiple haproxy processes running in the background with an old configuration? Because of SO_REUSEPORT, the kernel would then load-balance between those running instances, which would explain what you are seeing.

Use the noreuseport directive available in 1.6.10 or later to disable SO_REUSEPORT behavior (and have the guarantee that only the current haproxy instance is listening).