From 51281782568597c557e2210897ca444a198e4c13 Mon Sep 17 00:00:00 2001
From: Maximilian Moehl <maximilian@moehl.eu>
Date: Thu, 26 Jun 2025 16:08:03 +0200
Subject: [PATCH] DOC: config: crt-list clarify default cert + cert-bundle

Clarify that HAProxy duplicates crt-list entries for multi-cert bundles
which can create unexpected side-effects as only the very first
certificate after duplication is considered as default implicitly.
---
 doc/configuration.txt | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index c5d20e697..999564e5e 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -16583,6 +16583,10 @@ crt-list <file>
     configuration, the default certificates could be explicited (with a '*'
     filter) at the beginning of the list, so an implicit default is not added
     before.
+    Due to multi-cert bundles being duplicated for each algorithm in the
+    crt-list, only one algorithm will occupy the first line in the crt-list and
+    be considered as default. Either specify the entire bundle as default by
+    declaring '*' as the filter or setting it on the bind line.
 
     The "show ssl sni" command on the stats socket could be used to debug your
     configuration. (See "show ssl sni" in the management guide)