I am trying to secure a domain with haproxy. When I load the URL: bitbucket.kl.company.com, I get the error:
bitbucket.kl.company.com uses an invalid security certificate.
This certificate is only valid for the following names:
*.company.com, company.com, bitbucket-mirror.company.com
Error Code: SSL_ERROR_BAD_CERT_DOMAIN
Now if I go onto the server and do the following:
openssl x509 -text -noout -in /etc/haproxy/certs/cert.pem | grep DNS
DNS:*.company.com, DNS:company.com, DNS:bitbucket.kl.company.com
I contacted Digicert who issue the certificates, and they said the server was issuing the wrong certificate.
In my haproxy.cfg I have:
frontend bitbucket_http_frontend
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/cert.pem ciphers HIGH:!aNULL:!MD5
redirect scheme https code 301 if !{ ssl_fc }
default_backend bitbucket_http_backend
This appears to be what is happening...
haproxy is issuing other certificates from within /etc/haproxy/certs
I didn't expect or ask it to do that, but that is the only conclusion that makes sense, unless there is a default location that it looks in first.
This was due to a stale haproxy process which had been started without 'systemctl', and had been running for 3 months. It was issuing certificates for a long since deleted pem file.
I thought there would have been a port clash or something but there was not. haproxy did not complain.