1

I have a web app which offers a subdomain to each customer. Currently all the customer subdomains (e.g. user1.example.com, user2.example.com) and the root domain (i.e. www.example.com, example.com) are secured with a single wildcard certificate.

Now I would like to use an Extended Validation certificate for the root domain and keep using the wildcard certificate for the subdomains.

Is it possible to configure HAProxy to serve a different certificate based on that condition? Is it possible to have just one backend and only use a different certificate?

This question is different from this one because in my case both certificates would be valid for the root domain, so HAProxy can't figure out automatically which certificate should use. I need a way to explicitly set which certificate should be used based on the requested domain (SNI). Indeed for the root domain I want to use the EV certificate (instead of the wildcard one).

collimarco
  • 264
  • 2
  • 3
  • 10
  • 1
    Possible duplicate of [Configure multiple SSL certificates in Haproxy](https://serverfault.com/questions/560978/configure-multiple-ssl-certificates-in-haproxy) – Esa Jokinen Sep 26 '17 at 15:08
  • 1
    @EsaJokinen Is not exactly the same question. [That answer](https://serverfault.com/a/560997/15966) uses completely different domains, while in my case I need to distinguish between the root domain and subdomain. I don't know how to configure SNI in that case. Moreover I would like to understand if I can use just one backend (in that answer each domain points to a different backend). – collimarco Sep 26 '17 at 18:09
  • 1
    You can do it using SNI technology - https://stuff-things.net/2016/11/30/haproxy-sni/ – Jason Parms Sep 28 '17 at 12:29

1 Answers1

3

Well actually you are in luck. If you configure haproxy to use both certs, either by putting them in the same directory and listing that, or by listing both certs explicitely, HAProxy will do the right thing for you. I have posted about this on the mailing list of haproxy. The relevant bit about the crt directive is:

This directive may be specified multiple times in order to load certificates from multiple files or directories. When specified multiple times, the certificates will be looked up in the order they are specified in the configuration, with the exception of wildcard certificates, they will always be looked up last.

As an alternative you can have a look at crt-list.

tjikkun
  • 43
  • 3
  • 1
    This works really damn well, we use it with an external cert primary and an internal cert that supports diagnostic endpoints (different subdomain) – Jacob Evans Sep 29 '17 at 13:33