This is a follow-up question to the other thread "SSL
Problem -
Untrusted Connection" which has meanwhile been resolved,
thanks to Lukas
and Duncan. My PEM files are now working properly.
Here is what I have in the config file:
frontend https-in
bind :443 ssl crt /var/proxy/certs/fallback.pem crt
/var/proxy/certs/domain1.pem crt
/var/proxy/certs/domain2.pem
use_backend ssl_backend
Now, when calling
https://domain1
this works from all modern platforms
and browsers. But a lot customers with older equipment (i.e.
most of
them from within banking networks - no kidding) are
reporting that their
browser (IE8 on XP as an example) is warning them when
visiting domain1
on SSL. As I couldn't reproduce that problem from elsewhere,
I just
installed XP and IE8 and bang, yes I get the same warning.
What happens is that HAProxy is using the fallback
certificate.
When I remove that and only have this config:
frontend https-in
bind :443 ssl crt /var/proxy/certs/domain1.pem
use_backend ssl_backend
Then everything works also on older systems.
I think, from that we can assume that the certificates are
just fine.
But something with HAProxy seems not quite right for all
circumstances
if there are more than one CRTs in one bind statement.
If anyone needed an environment for testing and
reproduction, please let
me know. I can provide more infos or even access to our
system if that's
necessary.
Thanks
Jürgen
