ssl_trusted_certificate doesn't accept @server_name variable

devCU nginx-forum at forum.nginx.org
Mon Jun 3 09:42:22 UTC 2019 

The following works as advertised in my vhost server block

        ssl_certificate  /etc/letsencrypt/live/mydomain.com/fullchain.pem;
        ssl_certificate_key 
/etc/letsencrypt/live/mydomain.com/privkey.pem;
        ssl_trusted_certificate
/etc/letsencrypt/live/mydomain.com/chain.pem;

To better automate vhosts en mass I tried using the $server_name variable

       server_name mydomain.com;

        ssl_certificate  /etc/letsencrypt/live/$server_name/fullchain.pem;
        ssl_certificate_key 
/etc/letsencrypt/live/$server_name/privkey.pem;
        ssl_trusted_certificate
/etc/letsencrypt/live/$server_name/chain.pem;

Nginx failed but this works

       server_name mydomain.com;

        ssl_certificate  /etc/letsencrypt/live/$server_name/fullchain.pem;
        ssl_certificate_key 
/etc/letsencrypt/live/$server_name/privkey.pem;
        ssl_trusted_certificate
/etc/letsencrypt/live/mydomain.com/chain.pem;

If ssl_certificate and ssl_certificate accept the $server_name variable then
how come ssl_trusted_certificate doesn't?

Heres the error on Ubuntu 18.04.2 running Nginx 1.17.0 source compiled with
OpenSSL 1.1.1c

Jun 03 05:34:22 cloud systemd[1]: Starting The NGINX HTTP and reverse proxy
server...
Jun 03 05:34:22 cloud nginx[12646]: nginx: [emerg]
SSL_CTX_load_verify_locations("/etc/letsencrypt/live/$server_name/chain.pem")
failed (SSL: error:02001002:system library:
Jun 03 05:34:22 cloud nginx[12646]: nginx: configuration file
/etc/nginx/nginx.conf test failed
Jun 03 05:34:22 cloud systemd[1]: nginx.service: Control process exited,
code=exited status=1
Jun 03 05:34:22 cloud systemd[1]: nginx.service: Failed with result
'exit-code'.
Jun 03 05:34:22 cloud systemd[1]: Failed to start The NGINX HTTP and reverse
proxy server.

ssl_certificate and ssl_certificate_key parse the variable $server_name and
the correct path to the domain's SSL certs are validated. 

Seems odd to me. Thanks for any explanation
~Gary

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,284410,284410#msg-284410

More information about the nginx mailing list