ssl_trusted_certificate doesn't accept @server_name variable

Maxim Dounin mdounin at
Mon Jun 3 12:46:08 UTC 2019


On Mon, Jun 03, 2019 at 05:42:22AM -0400, devCU wrote:

> The following works as advertised in my vhost server block
>         ssl_certificate  /etc/letsencrypt/live/;
>         ssl_certificate_key 
> /etc/letsencrypt/live/;
>         ssl_trusted_certificate
> /etc/letsencrypt/live/;
> To better automate vhosts en mass I tried using the $server_name variable
>        server_name;
>         ssl_certificate  /etc/letsencrypt/live/$server_name/fullchain.pem;
>         ssl_certificate_key 
> /etc/letsencrypt/live/$server_name/privkey.pem;

This is generally a bad change.  You shouldn't use variables just 
to save you from writing the same name in the appropriate 
directives.  See here for a detailed explanation and suggestions:

>         ssl_trusted_certificate
> /etc/letsencrypt/live/$server_name/chain.pem;

This is not goint to work, as the ssl_trusted_certificate 
directive does not support variables.


> If ssl_certificate and ssl_certificate accept the $server_name variable then
> how come ssl_trusted_certificate doesn't?

Variables support in ssl_certificate and ssl_certificate_key 
directives address a specific use case when one cannot write a 
static configuration with pre-existing certificates - e.g., when 
certificates are added on a regular basis, and it is not possible 
to reload nginx configuration with such a rate.  Such use case is 
unlikely to be applicable to ssl_trusted_certificate, and hence 
there are no plans to add variables support to the 
ssl_trusted_certificate directive.

Maxim Dounin

More information about the nginx mailing list