From 744123b6153aff7cc7e16d546dec449369e79db5 Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Mon, 9 Feb 2026 16:49:02 +0100 Subject: [PATCH] docs: Update FAQ with HAProxy SNI/certs.list troubleshooting - Add HAProxy multi-domain SSL certificate matching issue - Document crt-list solution for SNI issues - Minor updates to settings and streamlit readme Co-Authored-By: Claude Opus 4.5 --- .claude/FAQ-TROUBLESHOOTING.md | 36 +++++++++++++++++++ .claude/settings.local.json | 35 +++++++++++++++++- .../secubox/secubox-app-streamlit/README.md | 2 +- 3 files changed, 71 insertions(+), 2 deletions(-) diff --git a/.claude/FAQ-TROUBLESHOOTING.md b/.claude/FAQ-TROUBLESHOOTING.md index 70d2b55f..52f8b622 100644 --- a/.claude/FAQ-TROUBLESHOOTING.md +++ b/.claude/FAQ-TROUBLESHOOTING.md @@ -174,6 +174,42 @@ uci commit firewall ## HAProxy Issues +### Issue: Multi-domain SSL certificates not matching correctly (SNI issues) + +**Symptoms:** +- Wrong certificate served for some domains +- SSL handshake failures for specific domains +- Browser shows certificate name mismatch warnings + +**Root Cause:** +HAProxy directory mode (`crt /path/to/certs/`) uses certificate filenames for SNI matching, which can be unreliable with multiple certificates. The certificate CN/SAN extraction is automatic but may not match the expected domain. + +**Solution:** +Use `crt-list` instead of directory mode for explicit domain-to-certificate mapping. + +1. Generate `certs.list` file that maps each certificate to its domains: +```bash +haproxyctl generate +# or manually regenerate: +haproxy-sync-certs +``` + +2. The certs.list format is: +``` +/opt/haproxy/certs/example.com.pem example.com +/opt/haproxy/certs/example.com.pem www.example.com +/opt/haproxy/certs/api.example.com.pem api.example.com +``` + +3. HAProxy config uses: +``` +bind *:443 ssl crt-list /opt/haproxy/certs/certs.list alpn h2,http/1.1 +``` + +This was fixed in haproxyctl (2026-02-07) to automatically generate certs.list from certificate SANs. + +--- + ### Issue: HAProxy fails with "unable to find required use_backend" **Symptoms:** diff --git a/.claude/settings.local.json b/.claude/settings.local.json index b4b01135..f7a59343 100644 --- a/.claude/settings.local.json +++ b/.claude/settings.local.json @@ -293,7 +293,40 @@ "WebFetch(domain:evolution.gk2.secubox.in)", "WebFetch(domain:console.gk2.secubox.in)", "Bash(SCRIPT)", - "Bash(tcpdump:*)" + "Bash(tcpdump:*)", + "Bash(resolvectl query:*)", + "Bash(systemctl restart:*)", + "Bash(getent:*)", + "Bash(unzip:*)", + "Bash(__NEW_LINE_86d4afe3b9fa8d1c__ echo \"\")", + "Bash(__NEW_LINE_9ed23c10c78c59e7__ echo \"\")", + "Bash(__NEW_LINE_eb3bd3ef6592bca8__ echo \"\")", + "Bash(__NEW_LINE_7eaa189e50a78a6c__ echo \"\")", + "WebFetch(domain:oracle.ganimed.fr)", + "Bash(')", + "WebFetch(domain:gk2.secubox.in)", + "WebFetch(domain:press.cybermood.eu)", + "Bash(command -v:*)", + "Bash(# Configure serial port stty -F /dev/ttyUSB0 115200 cs8 -cstopb -parenb raw -echo # Send a newline and try to read response \\(echo \"\"\"\"; sleep 0.5; echo \"\"\"\"; sleep 0.5\\) & timeout 3 cat /dev/ttyUSB0)", + "Bash(do if sh -n \"$f\")", + "Bash(then echo \"OK: $f\")", + "Bash(else echo \"FAIL: $f\")", + "Bash(do echo \"Resolver $resolver:\" nslookup -type=NS secubox.in $resolver)", + "Bash(do echo \"Resolver $resolver:\" nslookup secubox.in $resolver)", + "Bash(do echo \"Resolver $resolver:\" nslookup gk2.secubox.in $resolver)", + "Bash(do echo \"Resolver $resolver:\" nslookup evolution.gk2.secubox.in $resolver)", + "Bash(stty:*)", + "Bash(sudo stty:*)", + "Bash(./secubox-clone-station.sh:*)", + "Bash(sudo apt install:*)", + "Bash(dmesg:*)", + "Bash(lsusb:*)", + "Bash(ss:*)", + "Bash(netstat:*)", + "Bash(fuser:*)", + "Bash(lsof:*)", + "Bash(arp:*)", + "Bash(ip link:*)" ] } } diff --git a/package/secubox/secubox-app-streamlit/README.md b/package/secubox/secubox-app-streamlit/README.md index fee3bb80..bd1b38b8 100644 --- a/package/secubox/secubox-app-streamlit/README.md +++ b/package/secubox/secubox-app-streamlit/README.md @@ -212,7 +212,7 @@ To expose Streamlit apps via HAProxy vhost: uci add haproxy backend uci set haproxy.@backend[-1].name='streamlit_myapp' uci set haproxy.@backend[-1].mode='http' -uci add_list haproxy.@backend[-1].server='myapp 127.0.0.1:8502' +uci add_list haproxy.@backend[-1].server='myapp 192.168.255.1:8502' uci commit haproxy # Add vhost