DOC: config: crt-list clarify default cert + cert-bundle

Clarify that HAProxy duplicates crt-list entries for multi-cert bundles
which can create unexpected side-effects as only the very first
certificate after duplication is considered as default implicitly.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index c5d20e697c54d463121289d93464f401fabb9652..999564e5e9f717dcbe62a29210c2c65ca1b6b4f7 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -16583,6 +16583,10 @@ crt-list <file>
     configuration, the default certificates could be explicited (with a '*'
     filter) at the beginning of the list, so an implicit default is not added
     before.
+    Due to multi-cert bundles being duplicated for each algorithm in the
+    crt-list, only one algorithm will occupy the first line in the crt-list and
+    be considered as default. Either specify the entire bundle as default by
+    declaring '*' as the filter or setting it on the bind line.
 
     The "show ssl sni" command on the stats socket could be used to debug your
     configuration. (See "show ssl sni" in the management guide)