Certificate order in proxy

[morsik]

Hi.

I configured 4 certificates in docker-flow-letsencrypt env variable. Everything went fine, certs were created, proxy was reconfigured. Nice.

But when I enter my site which doesn't have certificate HAproxy returns first certificate from it's list, and it's list is generated alphabetically.

Like that (of course cert-di is real domain):

frontend services
    bind *:80
    bind *:443 ssl crt /certs/cert-di.combined.pem crt /certs/cert-dr.combined.pem crt /certs/cert-op.combined.pem crt /certs/cert-os.combined.pem
    mode http

Problem is: my very simple infrastructure is hosted under domain cert-op so I want to expose this certificate (even it'll fail in every browser) as default and not leak cert-di which is one site from some user.

This could be achieved in easy mapping (order of domains like I have in this example):

• DOMAIN_1 → /certs/01-cert-op.combined.pem
• DOMAIN_2 → /certs/02-cert-di.combined.pem
• DOMAIN_3 → /certs/03-cert-os.combined.pem
• DOMAIN_4 → /certs/04-cert-dr.combined.pem

With this, docker-flow-proxy will generate config in different order, and cert-op will be exposed as default certificate.

[hamburml]

I think you could achieve this with the newly added isDefaultBackend parameter. https://github.com/vfarcic/docker-flow-proxy/releases/tag/1.336

[vfarcic]

I don't think that isDefaultBackend will solve this :). Maybe a domain can be sufixed with filename.

Instead:

DOMAIN_1="('haembi.de' 'www.haembi.de' 'blog.haembi.de')"

it could be:

DOMAIN_1="('haembi.de:cert-1.pem' 'www.haembi.de' 'blog.haembi.de:cert-3.pem')"

The logic could be to split a domain by colon (:). Use the first element as domain name. If there are two, use the second as the filename. Otherwise, use the domain as filename.

I haven't explored the code in detail so I'm not sure whether that's doable or, to be more precise, a lot of work.

[morsik]

The isDefaultBackend is not solution there at all.

@vfarcic: DOMAIN_X is exactly one certificate file, so example you did is totally useless since all domains will be inside one file. Under haembi.de certificate.

My feature request is when there are multiple certificates, in DOMAIN_1, DOMAIN_2 and DOMAIN_666. Then I want DOMAIN_1 be always first in HAProxy config, not any other. And they are ordered alphabetically right now, so If DOMAIN_2 starts with letter "a", it'll be used as default in HAProxy instead of DOMAIN_1 which starts with letter "o". But I would like to make default certificate that one starting with "o" ;)

I hope you understand.

[hamburml]

Ahh, got it! Thanks for the explanation.

[hamburml]

Sorry for neglecting this project so long. Some family and health issues...

I will try to add this in the next days. To be honest I do not expect that you are still using this companion (Issue was created 6 months ago) but the idea is still great. I am also eagerly waiting for the acme v2 certbot release, which will add wildcard certificates https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html

[hamburml]

@morsik If you are still interesting, you could try hamburml/docker-flow-letsencrypt:testing. The certificate of DOMAIN_1 should be 00000000<DOMAIN_1>.combined.pem where DOMAIN_1 is the first entry of the array. For example:

DOMAIN_1=('haembi.de' 'www.haembi.de') the cert would be 00000000haembi.de.combined.pem