📖 ~1 min read
Table of contents
Symptom & Impact
Browsers display certificate errors when connecting through HAProxy frontends.
Environment & Reproduction
Seen after certificate rotation or addition of new SNI hosts.
Root Cause Analysis
PEM bundles in `crt-list` are out of order or include a default certificate that overrides SNI.
Quick Triage
Inspect HAProxy stats and `haproxy -c -f /etc/haproxy/haproxy.cfg` output.
Step-by-Step Diagnosis
Use `openssl s_client -servername host -connect …` to confirm which cert is served.
Solution – Primary Fix
Rebuild the crt-list, ensure correct SNI mapping, and reload HAProxy gracefully.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Solution – Alternative Approaches
Use the `ssl-default-bind-curves` and modern cipher suite list to harden.
Verification & Acceptance Criteria
All SNI hosts present the correct certificate and chain.
Rollback Plan
Roll back to the previous crt-list backup if a misconfigured cert is deployed.
Prevention & Hardening
Automate certificate rotation with Salt or Cert-Manager.
Related Errors & Cross-Refs
Pairs with `unable to load SSL certificate` warnings on reload.
Related tutorial: View the step-by-step tutorial for sles-15.
View all sles-15 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
SUSE HAProxy configuration and TLS reference docs.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
