SSL frontend needs a specific cert

[yorickdowne]

This part of the template

frontend https
  mode http
  bind ":${HAPROXY_HTTPS_PORT}" name https ssl crt /etc/haproxy/certs/ strict-sni alpn h2,http/1.1
  option forwardfor if-none
  default_backend main

results in config : Proxy 'https': no SSL certificate specified for bind ':443' at [/usr/local/etc/haproxy/haproxy.cfg:52], ssl connections will fail (use 'crt')

This is a bit of chicken and egg: When haproxy first starts this dir is empty, until acme has successfully requested a cert and populated the file, which could then be specified, like /etc/haproxy/certs/${ACME_DOMAIN}.pem, though that would again not quite work that way for multiple subdomains in ACME_DOMAIN.

I don't have an extremely good suggestion, but maybe crt-list is the savior here, see https://serverfault.com/questions/662662/haproxy-with-sni-and-different-ssl-settings

On further thought:

If a directory name is given as the <cert> argument, haproxy will
automatically search and load bundled files in that directory.

And yet it complains ...

[yorickdowne]

Closing this, it's cosmetic. Despite the start-up complaint, a TLS connection succeeds

[flobernd]

Hi @yorickdowne. The "strict-sni" directive is the solution to this chicken-egg-problem as suggested by the HAProxy devs.

You are correct, the warning is only cosmetic. Without the "strict-sni", the proxy would refuse to start if no certificates are present in the specified directory.