On 05-19-2021 4:29 pm, Viktor Dukhovni wrote:
Don't misconfigure the client to connect to "haproxy.example.com",
instead
publish a CNAME:
submission.example.com. IN CNAME haproxy.example.com.
Have the client connect to submission.example.com. The load
balancing in "haproxy" can be by IP address, or some alternative
names of the hosts, if haproxy wants to connect to hostnames.
To my knowledge you can not create a certificate linked to an IP, it has
to be a hostname.
I do not see how making a CNAME removes the problem.
If i make it so the client connects to submission.example.com, then
postfix server has to be renamed to something else like
balanced1.example.com
Now the client connects to submission.example.com and is being given an
certificate from balanced1.example.com. Same problem exist.
Following your advice, i would have to create a certificate on the proxy
server submission.example.com, then copy that certificate from the proxy
server to the postfix server balanced1.example.com, and tell main.cf to
use that certificate that came from the proxy server. Just to make sure
i understand you is that what you are telling me i should do?
Other than that making me feel uncomfortable it does not allow for auto
renews and if i forget to copy over the cert one day things break.
