DOC: better describes how to configure a fallback crt

A default certificate is always the first one declared in the bind line, either from `crt` or from `crt-line` option. This commit updates the description of how to configure a fallback certificate, clarifying that it needs to be the first one of the bind line. Should be merged as far as the first SNI filter implementation.
2025-03-03 18:09:25 +00:00 · 2020-11-24 08:24:30 -03:00 · 2020-11-24 08:24:30 -03:00 · aa8fcc4692
commit aa8fcc4692
parent 6dee9969b9
1 changed files with 8 additions and 7 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -12624,13 +12624,14 @@ crt-list <file>

  Empty lines as well as lines beginning with a hash ('#') will be ignored.

-  The first valid line declares the default certificate, which haproxy should
-  use in the TLS handshake if no other certificate matches, just like the crt
-  bind option. This certificate will also be used if the provided SNI matches
-  its CN or SAN, even if a matching SNI filter is declared later. The SNI filter
-  !* can be used after the first certificate to not include its CN and SAN in
-  the SNI tree, so it will never match except if no other certificate matches.
-  This way the first declared certificate act as a fallback.
+  The first declared certificate of a bind line is used as the default
+  certificate, either from crt or crt-list option, which haproxy should use in
+  the TLS handshake if no other certificate matches. This certificate will also
+  be used if the provided SNI matches its CN or SAN, even if a matching SNI
+  filter is found on any crt-list. The SNI filter !* can be used after the first
+  declared certificate to not include its CN and SAN in the SNI tree, so it will
+  never match except if no other certificate matches. This way the first
+  declared certificate act as a fallback.

  crt-list file example:
        cert1.pem !*