Multiple certificates for the same HAProxy front-end binding

We have a smart website that allows a single mutli-tenant application to server requests for thousands of different domains. The content is keyed from the host name, so you only see the content for the website you are visiting. The volume is handled by a pair of HAProxy servers that sit over a web farm.

HTTPS is handled with multi-domain certificates, but as a multi-domain certificate grows it can become unwieldy.

For this reason, we wanted to split into multiple smaller certificates.

Our configuration before the change:

frontend fe-example
    mode http
    bind *:80
    bind *:443 ssl crt /etc/site-ssl/region1.pem

Our configuration after the change (note the additional crt keyword before the second certificate path).

frontend fe-example
    mode http
    bind *:80
    bind *:443 ssl crt /etc/site-ssl/region1.pem crt /etc/site-ssl/region2.pem

Important additional note – if you are running a pair of HAProxy servers, remember to upload the certificate to all of them before you change the configuration – otherwise the configuration will fail to reload on the second machine when the configuration is copied over.

Written by Steve Fenton on 28th April 2017

Programming

certificates haproxy tls