Closed yorickdowne closed 3 months ago
Closing this, it's cosmetic. Despite the start-up complaint, a TLS connection succeeds
Hi @yorickdowne. The "strict-sni" directive is the solution to this chicken-egg-problem as suggested by the HAProxy devs.
You are correct, the warning is only cosmetic. Without the "strict-sni", the proxy would refuse to start if no certificates are present in the specified directory.
This part of the template
results in
config : Proxy 'https': no SSL certificate specified for bind ':443' at [/usr/local/etc/haproxy/haproxy.cfg:52], ssl connections will fail (use 'crt')
This is a bit of chicken and egg: When haproxy first starts this dir is empty, until acme has successfully requested a cert and populated the file, which could then be specified, like
/etc/haproxy/certs/${ACME_DOMAIN}.pem
, though that would again not quite work that way for multiple subdomains inACME_DOMAIN
.I don't have an extremely good suggestion, but maybe
crt-list
is the savior here, see https://serverfault.com/questions/662662/haproxy-with-sni-and-different-ssl-settingsOn further thought:
And yet it complains ...