ssl_trusted_certificate doesn't accept @server_name variable

[Maxim Dounin]

Hello!

On Mon, Jun 03, 2019 at 05:42:22AM -0400, devCU wrote:

> The following works as advertised in my vhost server block
> 
>         ssl_certificate  /etc/letsencrypt/live/mydomain.com/fullchain.pem;
>         ssl_certificate_key 
> /etc/letsencrypt/live/mydomain.com/privkey.pem;
>         ssl_trusted_certificate
> /etc/letsencrypt/live/mydomain.com/chain.pem;
> 
> To better automate vhosts en mass I tried using the $server_name variable
> 
>        server_name mydomain.com;
> 
>         ssl_certificate  /etc/letsencrypt/live/$server_name/fullchain.pem;
>         ssl_certificate_key 
> /etc/letsencrypt/live/$server_name/privkey.pem;

This is generally a bad change.  You shouldn't use variables just 
to save you from writing the same name in the appropriate 
directives.  See here for a detailed explanation and suggestions:

http://nginx.org/en/docs/faq/variables_in_config.html

>         ssl_trusted_certificate
> /etc/letsencrypt/live/$server_name/chain.pem;

This is not goint to work, as the ssl_trusted_certificate 
directive does not support variables.

[...]

> If ssl_certificate and ssl_certificate accept the $server_name variable then
> how come ssl_trusted_certificate doesn't?

Variables support in ssl_certificate and ssl_certificate_key 
directives address a specific use case when one cannot write a 
static configuration with pre-existing certificates - e.g., when 
certificates are added on a regular basis, and it is not possible 
to reload nginx configuration with such a rate.  Such use case is 
unlikely to be applicable to ssl_trusted_certificate, and hence 
there are no plans to add variables support to the 
ssl_trusted_certificate directive.

-- 
Maxim Dounin
http://mdounin.ru/