Pfsense HAProxy wierdness

All, thanks in advance for assistance.

I have been using HAProxy after following Tom’s SSL offloading video for a while. Everything is working for my multiple domains and certs except I have noticed an issue that I cannot resolve.

If I go to www.example.com or any other XXXX.example.com I get redirected properly to the backend and the correct wildcard cert is applied.

If I go to example.com I get a 503 error and the default cert that is set in the frontend setting is applied, not the wildcard cert for example.com.

I have a frontend ACL for “host matches” : “www.example.com” point to backend 10.10.10.10 port 80
I also have frontend ACL for “host matches” : “example.com” point to backend 10.10.10.10 port 80

Not sure what is going on or how to get example.com to use the correct acl and redirect to the correct backend.

I have no experience with HAProxy, but maybe it returns the 503 because the requested domain doesn’t match the certificate CN. Unless you had the cert issued with the actual domain as a SAN, a wildcard certificate will not match the domain itself.

There should be a way to get logs from HAProxy in pfSense, they probably contain more information.

getting an SSL Handshake error when connecting using example.com vs www.example.com

FIXED IT!

I had *.example.com in the allowed domains in the ACME cert setup. Added example.com and reissued the cert. voila! fixed!