From: Maximilian Moehl <maximilian@moehl.eu>
Date: Thu, 26 Jun 2025 14:08:03 +0000 (+0200)
Subject: DOC: config: crt-list clarify default cert + cert-bundle
X-Git-Tag: v3.3-dev2~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=51281782568597c557e2210897ca444a198e4c13;p=thirdparty%2Fhaproxy.git

DOC: config: crt-list clarify default cert + cert-bundle

Clarify that HAProxy duplicates crt-list entries for multi-cert bundles
which can create unexpected side-effects as only the very first
certificate after duplication is considered as default implicitly.
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index c5d20e697..999564e5e 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -16583,6 +16583,10 @@ crt-list <file>
     configuration, the default certificates could be explicited (with a '*'
     filter) at the beginning of the list, so an implicit default is not added
     before.
+    Due to multi-cert bundles being duplicated for each algorithm in the
+    crt-list, only one algorithm will occupy the first line in the crt-list and
+    be considered as default. Either specify the entire bundle as default by
+    declaring '*' as the filter or setting it on the bind line.
 
     The "show ssl sni" command on the stats socket could be used to debug your
     configuration. (See "show ssl sni" in the management guide)