Dynamic ssl certificate ? (wildcard+ multiple different certs)
W-Mark Kubacki
wmark+nginx at hurrikane.de
Thu Jan 9 16:40:35 UTC 2014
Certificates are selected and presented by the server before the
client even has the chance to send any cookies, the latter
happening after the »TLS handshake«.
2014/1/9 Larry <nginx-forum at nginx.us>:
> Hello,
>
> Here is my current conf
>
> server {
> listen 443;
>
> server_name ~^(.*)\.sub\.domain\.com$
>
> ssl on;
> ssl_certificate $cookie_ident/$1.crt;
> ssl_certificate_key $cookie_ident/$1.key;
> server_tokens off;
>
> ssl_protocols TLSv1.2 TLSv1.1 TLSv1 SSLv3;
> ssl_prefer_server_ciphers on;
> ssl_session_timeout 5m;
> ssl_session_cache builtin:1000 shared:SSL:10m;
>
> ssl_ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;
>
>
> autoindex off;
> root /upla/http/www.domain.com;
> port_in_redirect off;
> expires 10s;
> #add_header Cache-Control "no-cache,no-store";
> #expires max;
> add_header Pragma public;
> add_header Cache-Control "public";
>
> location / {
>
> try_files $uri /$request_uri =404;
>
> }
>
> }
>
> I would like to be able to "load" the right cert according to the cookie set
> and request uri.
>
> A sort of dynamic setting.
>
> But of course, when I start nginx, it complains :
> SSL: error:02001002:system library:fopen:No such file or directory:
>
> Perfectly normal since $cookie_ident is empty and no subdomain has been
> requested.
>
> So, what is the workaround I could use to avoid creating one file per new
> (self-signed)certificate issued ?
>
> I cannot use only one certificate for all since I have to be able to revoke
> the certs with granularity.
>
>
> How should I make it work ?
>
> Thanks
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,246178,246178#msg-246178
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
More information about the nginx
mailing list