Haproxy 1.5 - Usage of multiple certificates (wildcard) Announcing the arrival of Valued...
Is there an efficient way for synchronising audio events real-time with LEDs using an MCU?
Israeli soda type drink
A journey... into the MIND
Can gravitational waves pass through a black hole?
Is it accepted to use working hours to read general interest books?
Is it appropriate to mention a relatable company blog post when you're asked about the company?
What is a 'Key' in computer science?
Did war bonds have better investment alternatives during WWII?
How would it unbalance gameplay to rule that Weapon Master allows for picking a fighting style?
What is /etc/mtab in Linux?
Does a Draconic Bloodline sorcerer's doubled proficiency bonus for Charisma checks against dragons apply to all dragon types or only the chosen one?
How to compute a Jacobian using polar coordinates?
Coin Game with infinite paradox
Are there existing rules/lore for MTG planeswalkers?
Philosophers who were composers?
How was Lagrange appointed professor of mathematics so early?
How did Elite on the NES work?
What's parked in Mil Moscow helicopter plant?
Could a cockatrice have parasitic embryos?
My admission is revoked after accepting the admission offer
Was there ever a LEGO store in Miami International Airport?
Is there a verb for listening stealthily?
Why I cannot instantiate a class whose constructor is private in a friend class?
What is the numbering system used for the DSN dishes?
Haproxy 1.5 - Usage of multiple certificates (wildcard)
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30 pm US/Eastern)
Come Celebrate our 10 Year Anniversary!How to configure HAProxy for multiple SSL-CertificatesHAProxy SSL connection errorHAProxy listen with two arguments?Can't use (self-signed wildcard) SSL Certificate in Windows Azure Website (WAWS)setting up multiple ssl certificates on same server/ip on CENTOs with apache 2.2HAProxy - ssl client ca chain cannot be verifiedhaproxy not delivering certificate chainReverse proxies and ssl, should I use the same certificatesHaproxy: SSL encrypted backend with self-signed certHAProxy: multiple frontends, same bindWild card ssl on Apache CentOS 7
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I'm running multiple apps behind Haproxy 1.5.
We have a signed SSL wildcard certificate for our domains: *.mysite.com
We need now to implement 4th level domains: *.dev.mysite.com
The SSL certificate set up for *.mysite.com will not work in that case.
I therefore created a self signed certificate for the common name: *.dev.mysite.com
And I'm now trying to add this certificate into Haproxy.
But it seems that only the first certificate for *.mysite.com is taken in consideration by Haproxy and *.dev.mysite.com doesn't seems to be interpreted.
My configuration:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/combined.pem
[...]
Where combined.pem contains the signed certificate for *.mysite.com and the self signed certificate for *.dev.mysite.com
Note:
The behavior of Haproxy 1.5 concerning the binding of SSL certificated is different than the behavior of Haproxy 1.6 as explained here
I'm not sure if the issue is linked to Haproxy version or if the problem is linked to the usage of the wildcard certificate *.mysite.com which take over on *.dev.mysite.com
Edit:
I tried to use the following syntax as well:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/
[...]
Where /etc/ssl/private/sites/ contains two different pem certificates. This syntax seems not to be working.
ssl ssl-certificate haproxy domain-name ssl-certificate-errors
edited Apr 13 '17 at 12:14
Community♦
1
asked Oct 20 '16 at 9:50
maxime_039maxime_039
173112
bumped to the homepage by Community♦ 5 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I'm running multiple apps behind Haproxy 1.5.
We have a signed SSL wildcard certificate for our domains: *.mysite.com
We need now to implement 4th level domains: *.dev.mysite.com
The SSL certificate set up for *.mysite.com will not work in that case.
I therefore created a self signed certificate for the common name: *.dev.mysite.com
And I'm now trying to add this certificate into Haproxy.
But it seems that only the first certificate for *.mysite.com is taken in consideration by Haproxy and *.dev.mysite.com doesn't seems to be interpreted.
My configuration:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/combined.pem
[...]
Where combined.pem contains the signed certificate for *.mysite.com and the self signed certificate for *.dev.mysite.com
Note:
The behavior of Haproxy 1.5 concerning the binding of SSL certificated is different than the behavior of Haproxy 1.6 as explained here
I'm not sure if the issue is linked to Haproxy version or if the problem is linked to the usage of the wildcard certificate *.mysite.com which take over on *.dev.mysite.com
Edit:
I tried to use the following syntax as well:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/
[...]
Where /etc/ssl/private/sites/ contains two different pem certificates. This syntax seems not to be working.
ssl ssl-certificate haproxy domain-name ssl-certificate-errors
edited Apr 13 '17 at 12:14
Community♦
1
asked Oct 20 '16 at 9:50
maxime_039maxime_039
173112
bumped to the homepage by Community♦ 5 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I'm running multiple apps behind Haproxy 1.5.
We have a signed SSL wildcard certificate for our domains: *.mysite.com
We need now to implement 4th level domains: *.dev.mysite.com
The SSL certificate set up for *.mysite.com will not work in that case.
I therefore created a self signed certificate for the common name: *.dev.mysite.com
And I'm now trying to add this certificate into Haproxy.
But it seems that only the first certificate for *.mysite.com is taken in consideration by Haproxy and *.dev.mysite.com doesn't seems to be interpreted.
My configuration:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/combined.pem
[...]
Where combined.pem contains the signed certificate for *.mysite.com and the self signed certificate for *.dev.mysite.com
Note:
The behavior of Haproxy 1.5 concerning the binding of SSL certificated is different than the behavior of Haproxy 1.6 as explained here
I'm not sure if the issue is linked to Haproxy version or if the problem is linked to the usage of the wildcard certificate *.mysite.com which take over on *.dev.mysite.com
Edit:
I tried to use the following syntax as well:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/
[...]
Where /etc/ssl/private/sites/ contains two different pem certificates. This syntax seems not to be working.
ssl ssl-certificate haproxy domain-name ssl-certificate-errors
edited Apr 13 '17 at 12:14
Community♦
1
asked Oct 20 '16 at 9:50
maxime_039maxime_039
173112
I'm running multiple apps behind Haproxy 1.5.
We have a signed SSL wildcard certificate for our domains: *.mysite.com
We need now to implement 4th level domains: *.dev.mysite.com
The SSL certificate set up for *.mysite.com will not work in that case.
I therefore created a self signed certificate for the common name: *.dev.mysite.com
And I'm now trying to add this certificate into Haproxy.
But it seems that only the first certificate for *.mysite.com is taken in consideration by Haproxy and *.dev.mysite.com doesn't seems to be interpreted.
My configuration:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/combined.pem
[...]
Where combined.pem contains the signed certificate for *.mysite.com and the self signed certificate for *.dev.mysite.com
Note:
The behavior of Haproxy 1.5 concerning the binding of SSL certificated is different than the behavior of Haproxy 1.6 as explained here
I'm not sure if the issue is linked to Haproxy version or if the problem is linked to the usage of the wildcard certificate *.mysite.com which take over on *.dev.mysite.com
Edit:
I tried to use the following syntax as well:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/
[...]
Where /etc/ssl/private/sites/ contains two different pem certificates. This syntax seems not to be working.
ssl ssl-certificate haproxy domain-name ssl-certificate-errors
ssl ssl-certificate haproxy domain-name ssl-certificate-errors
edited Apr 13 '17 at 12:14
Community♦
1
asked Oct 20 '16 at 9:50
maxime_039maxime_039
173112
edited Apr 13 '17 at 12:14
Community♦
1
asked Oct 20 '16 at 9:50
maxime_039maxime_039
173112
edited Apr 13 '17 at 12:14
Community♦
1
edited Apr 13 '17 at 12:14
Community♦
1
edited Apr 13 '17 at 12:14
Community♦
1
1
asked Oct 20 '16 at 9:50
maxime_039maxime_039
173112
asked Oct 20 '16 at 9:50
maxime_039maxime_039
173112
asked Oct 20 '16 at 9:50
maxime_039maxime_039
173112
173112
bumped to the homepage by Community♦ 5 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 5 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I didn't found a simple solution with Haproxy 1.5, but I've applied a workaround that solved my issue as explained below using multiple load balancers.
It's not ideal for sure, so my ultimate solution was to upgrade to Haproxy 1.6.
Usage of multiple load balancers:
It's the advantage of working on a HA infrastructure. I'm using a floating IP as my main entry point, which will then reach an available load balancer over Haproxy.
Therefore, I assigned a load balancer to my services that will use the *.dev.mysite.com self signed certificate.
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/dev.mysite.pem
[...]
And I've edited the DNS records so *.dev.mysite.com is redirected to this specific load balancer now dedicated to serve my 4th level domain.
Upgrade to Haproxy 1.6:
As the workaround below is an expensive solution, you might want consider upgrading to Haproxy 1.6 that solve the issue by allowing the binding of multiple certificates:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/dev.mysite.pem crt /etc/ssl/private/mysite.pem
[...]
answered Oct 21 '16 at 9:45
maxime_039maxime_039
173112
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f810182%2fhaproxy-1-5-usage-of-multiple-certificates-wildcard%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I didn't found a simple solution with Haproxy 1.5, but I've applied a workaround that solved my issue as explained below using multiple load balancers.
It's not ideal for sure, so my ultimate solution was to upgrade to Haproxy 1.6.
Usage of multiple load balancers:
It's the advantage of working on a HA infrastructure. I'm using a floating IP as my main entry point, which will then reach an available load balancer over Haproxy.
Therefore, I assigned a load balancer to my services that will use the *.dev.mysite.com self signed certificate.
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/dev.mysite.pem
[...]
And I've edited the DNS records so *.dev.mysite.com is redirected to this specific load balancer now dedicated to serve my 4th level domain.
Upgrade to Haproxy 1.6:
As the workaround below is an expensive solution, you might want consider upgrading to Haproxy 1.6 that solve the issue by allowing the binding of multiple certificates:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/dev.mysite.pem crt /etc/ssl/private/mysite.pem
[...]
answered Oct 21 '16 at 9:45
maxime_039maxime_039
173112
add a comment |
I didn't found a simple solution with Haproxy 1.5, but I've applied a workaround that solved my issue as explained below using multiple load balancers.
It's not ideal for sure, so my ultimate solution was to upgrade to Haproxy 1.6.
Usage of multiple load balancers:
It's the advantage of working on a HA infrastructure. I'm using a floating IP as my main entry point, which will then reach an available load balancer over Haproxy.
Therefore, I assigned a load balancer to my services that will use the *.dev.mysite.com self signed certificate.
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/dev.mysite.pem
[...]
And I've edited the DNS records so *.dev.mysite.com is redirected to this specific load balancer now dedicated to serve my 4th level domain.
Upgrade to Haproxy 1.6:
As the workaround below is an expensive solution, you might want consider upgrading to Haproxy 1.6 that solve the issue by allowing the binding of multiple certificates:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/dev.mysite.pem crt /etc/ssl/private/mysite.pem
[...]
answered Oct 21 '16 at 9:45
maxime_039maxime_039
173112
add a comment |
I didn't found a simple solution with Haproxy 1.5, but I've applied a workaround that solved my issue as explained below using multiple load balancers.
It's not ideal for sure, so my ultimate solution was to upgrade to Haproxy 1.6.
Usage of multiple load balancers:
It's the advantage of working on a HA infrastructure. I'm using a floating IP as my main entry point, which will then reach an available load balancer over Haproxy.
Therefore, I assigned a load balancer to my services that will use the *.dev.mysite.com self signed certificate.
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/dev.mysite.pem
[...]
And I've edited the DNS records so *.dev.mysite.com is redirected to this specific load balancer now dedicated to serve my 4th level domain.
Upgrade to Haproxy 1.6:
As the workaround below is an expensive solution, you might want consider upgrading to Haproxy 1.6 that solve the issue by allowing the binding of multiple certificates:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/dev.mysite.pem crt /etc/ssl/private/mysite.pem
[...]
answered Oct 21 '16 at 9:45
maxime_039maxime_039
173112
I didn't found a simple solution with Haproxy 1.5, but I've applied a workaround that solved my issue as explained below using multiple load balancers.
It's not ideal for sure, so my ultimate solution was to upgrade to Haproxy 1.6.
Usage of multiple load balancers:
It's the advantage of working on a HA infrastructure. I'm using a floating IP as my main entry point, which will then reach an available load balancer over Haproxy.
Therefore, I assigned a load balancer to my services that will use the *.dev.mysite.com self signed certificate.
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/sites/dev.mysite.pem
[...]
And I've edited the DNS records so *.dev.mysite.com is redirected to this specific load balancer now dedicated to serve my 4th level domain.
Upgrade to Haproxy 1.6:
As the workaround below is an expensive solution, you might want consider upgrading to Haproxy 1.6 that solve the issue by allowing the binding of multiple certificates:
frontend mainHttps
bind *:433 ssl crt /etc/ssl/private/dev.mysite.pem crt /etc/ssl/private/mysite.pem
[...]
answered Oct 21 '16 at 9:45
maxime_039maxime_039
173112
answered Oct 21 '16 at 9:45
maxime_039maxime_039
173112
answered Oct 21 '16 at 9:45
maxime_039maxime_039
173112
answered Oct 21 '16 at 9:45
maxime_039maxime_039
173112
173112
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f810182%2fhaproxy-1-5-usage-of-multiple-certificates-wildcard%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
