Dynamic ssl certificate ? (wildcard+ multiple different certs)

W-Mark Kubacki wmark+nginx at hurrikane.de
Thu Jan 9 16:40:35 UTC 2014 

Certificates are selected and presented by the server before the
client even has the chance to send any cookies, the latter
happening after the »TLS handshake«.

2014/1/9 Larry <nginx-forum at nginx.us>:
> Hello,
>
> Here is my current conf
>
> server {
>                 listen   443;
>
>                 server_name ~^(.*)\.sub\.domain\.com$
>
>                 ssl    on;
>                 ssl_certificate    $cookie_ident/$1.crt;
>                 ssl_certificate_key    $cookie_ident/$1.key;
>                 server_tokens off;
>
>                 ssl_protocols TLSv1.2 TLSv1.1 TLSv1 SSLv3;
>                 ssl_prefer_server_ciphers on;
>                 ssl_session_timeout 5m;
>                 ssl_session_cache builtin:1000 shared:SSL:10m;
>
>                 ssl_ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;
>
>
>                 autoindex off;
>                 root /upla/http/www.domain.com;
>                 port_in_redirect off;
>                 expires 10s;
>                 #add_header Cache-Control "no-cache,no-store";
>                 #expires max;
>         add_header Pragma public;
>         add_header Cache-Control "public";
>
>                 location / {
>
>                         try_files $uri /$request_uri =404;
>
>                 }
>
> }
>
> I would like to be able to "load" the right cert according to the cookie set
> and request uri.
>
> A sort of dynamic setting.
>
> But of course, when I start nginx, it complains :
> SSL: error:02001002:system library:fopen:No such file or directory:
>
> Perfectly normal since $cookie_ident is empty and no subdomain has been
> requested.
>
> So, what is the workaround I could use to avoid creating one file per new
> (self-signed)certificate issued ?
>
> I cannot use only one certificate for all since I have to be able to revoke
> the certs with granularity.
>
>
> How should I make it work ?
>
> Thanks
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,246178,246178#msg-246178
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

More information about the nginx mailing list