loading ssl_certificate from a variable

Sergey Kandaurov pluknet at nginx.com
Wed Jun 23 14:22:45 UTC 2021


> On 23 Jun 2021, at 16:29, daveb <nginx-forum at forum.nginx.org> wrote:
> 
> Hello,
> 
> I'm trying to load the cert/key from a variable, based on the documentation
> here:
> 
> https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
> 
> Using this configuration:
> 
> <snip>
> server {
>        listen       19099 ssl;
> 
>        set $mycert "-----BEGIN CERTIFICATE----- ...";
>        set $mypkey "-----BEGIN PRIVATE KEY----- ...";
>        ssl_certificate "data:$mycert";  
>        ssl_certificate_key "data:$mypkey";
> 
> <snip>
> 
> When I connect to port 19099, nginx reports this error (v 1.19.7)
> 
> [error] 16408#0: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX()
> failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting:
> TRUSTED CERTIFICATE) while SSL handshaking, client: 127.0.0.1, server:
> 0.0.0.0:19099

The error indicates an empty value.
This is because "set" variables are not yet handled while SSL handshaking.
You might want to replace it with e.g. geo or map that use global context.

The more intended way is loading certificates with perl or njs:
https://hg.nginx.org/nginx-tests/file/tip/ssl_certificate_perl.t

-- 
Sergey Kandaurov



More information about the nginx mailing list