Unexpected 500 on /services/haproxy/runtime/ssl_certs when resource already exists

[mpenny-github]

Expected behaviour

Per https://www.haproxy.com/documentation/dataplaneapi/community/?v=v3#post-/services/haproxy/runtime/ssl_certs post /services/haproxy/runtime/ssl_certs should return a 409 if "the specified resource already exists".

Actual behavior

Returns a 500 instead:

curl -s --unix-socket "/data/run/dataplaneapi.sock" "http://localhost/v3/services/haproxy/runtime/ssl_certs"   -v'                    
*   Trying /data/run/dataplaneapi.sock:0...
* Connected to localhost (/data/run/dataplaneapi.sock) port 80 (#0)
> GET /v3/services/haproxy/runtime/ssl_certs HTTP/1.1
> Host: localhost
> User-Agent: curl/7.86.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Configuration-Version: 1
< Content-Type: application/json
< Vary: Origin
< Date: Fri, 23 Jan 2026 13:40:44 GMT
< Content-Length: 1381
< 
{ [1381 bytes data]
* Connection #0 to host localhost left intact
[{"description":"example.com","storage_name":"/data/haproxy/ssl/example.com"}]
curl -s --unix-socket "/data/run/dataplaneapi.sock" "http://localhost/v3/services/haproxy/runtime/ssl_certs"  -X POST -F "file_upload=@/data/haproxy/ssl/example.com"  -v'
*   Trying /data/run/dataplaneapi.sock:0...
* Connected to localhost (/data/run/dataplaneapi.sock) port 80 (#0)
> POST /v3/services/haproxy/runtime/ssl_certs HTTP/1.1
> Host: localhost
> User-Agent: curl/7.86.0
> Accept: */*
> Content-Length: 3480
> Content-Type: multipart/form-data; boundary=------------------------914ee16b89929b78
> 
} [3480 bytes data]
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< Configuration-Version: 1
< Content-Type: application/json
< Vary: Origin
< Date: Fri, 23 Jan 2026 13:40:20 GMT
< Content-Length: 153
< 
{ [153 bytes data]
* Connection #0 to host localhost left intact
{"code":500,"message":"/tmp/admin.sock [3]  Certificate 'example.com' already exists! [new ssl cert example.com] general error"}

Additional information

haproxy.cfg:

global
  stats socket /tmp/admin.sock mode 600 level admin


defaults www_defaults
  mode http

userlist haproxy-dataplaneapi

resolvers docker
  nameserver dnsmasq 127.0.0.11:53

frontend www from www_defaults
  bind *:8888
  bind *:8443 ssl crt /data/haproxy/ssl/

  http-request set-var(txn.path_config) path,map_reg(opt@/data/haproxy/maps/path_percentage_routing.map)
  http-request set-var(txn.backend_key) var(txn.path_config),field(2,|) 
  acl has_dynamic_backend var(txn.backend_key) -m found

  use_backend %[var(txn.backend_key)] if has_dynamic_backend

  default_backend legacy

backend legacy from www_defaults
  server app app:8001 check resolvers docker resolve-prefer ipv4

backend backend1 from www_defaults
  http-request return status 200 content-type "text/plain" lf-string "200 OK" hdr "X-Backend" "backend1"

backend backend2 from www_defaults
  http-request return status 200 content-type "text/plain" lf-string "200 OK" hdr "X-Backend" "backend2"

dataplaneapi.yaml:

config_version: 2
name: 40a1dac72c2f
dataplaneapi:
  show_system_info: true
  socket_path: /data/run/dataplaneapi.sock
  host: 127.0.0.1
  disable_inotify: true
  advertised:
    api_address: ""
    api_port: 0
  scheme:
  - unix
  userlist:
    userlist: controller
    userlist_file: ""
  transaction:
    transaction_dir: /data/dataplaneapi/transactions
    backups_number: 10
    backups_dir: /data/dataplaneapi/backups
    max_open_transactions: 10
  resources:
    maps_dir: /data/haproxy/maps
    ssl_certs_dir: /data/haproxy/ssl
    general_storage_dir: /data/dataplaneapi/general
    dataplane_storage_dir: /data/dataplaneapi/dataplane
    spoe_dir: /data/dataplaneapi/spoe
haproxy:
  config_file: /data/haproxy/haproxy.cfg
  haproxy_bin: /usr/sbin/haproxy
  reload:
    reload_delay: 5
    service_name: /run/service/haproxy
    reload_strategy: s6
log_targets:
- log_to: stdout
  log_level: debug
  log_format: text
  log_types:
  - app
  - access