regarding certificates: The bind line accepts a directory for ssl crt
, haproxy will then pick the certificate that is matching to the SNI the client provided. So you can stuff all certificates you have (e.g. multiple wildcards, even mixed with non wildcard certs) in that directory and haproxy will take care of the rest.
Only in cases where the client does NOT send an SNI extension haproxy will fall back to a default certificate and thus a certificate error can occur.
regarding your issue: your backend server definitions lack ssl
, currently haproxy is trying to talk raw http to your backends just on port 443. Check with server SRVWEBFRM3 x.x.x.90:443 ssl check check-ssl verify none