HAProxy doesn't seem to respect SNI anymore?

[rkubes]

I have two different certs, one for mydoman.com, and one for www.mydomain.com (examples of course, but the subdomains are correct)

These are both loaded in HAProxy for my server, and I'm using HAProxy essentially as a gateway so that the SSL management is done within OPNsense.

On 23.x versions, this all worked without issue. HAProxy would provide the correct cert for whatever site was accessed (i.e. with or without the www. subdomain).

I upgraded to 24.1 last night, and now if I access mydomain.com, HAProxy is providing the cert for www.mydomain.com, and thus the browser raises a warning. It seems like potentially HAProxy is using the default cert rather than the other one loaded specifically for that subdomain.

Are there any configurations that are known to need to be adjusted for HAProxy after the 24.1 upgrade? Or any that I can double check to ensure they're set correctly?

This issue only happens within my network, since the DNS is routed directly to the firewall. Outside of my network I proxy through Cloudflare, and they have their own cert on the proxy with a wildcard.

I know I can potentially look at also doing a wildcard cert on my end, but I'd prefer to keep the individual certs for now and rely on SNI to pick the right cert.

Edit:
I did a search for HAProxy and didn't find the other posts, but have since found through Google this is indeed broken with 24.1
https://github.com/opnsense/plugins/issues/3779#issuecomment-1917956814

[Tubs]

I was running in the same issue.
Habe a look here.

https://forum.opnsense.org/index.php?topic=38435.0