loading ssl_certificate from a variable
Sergey Kandaurov
pluknet at nginx.com
Wed Jun 23 14:22:45 UTC 2021
> On 23 Jun 2021, at 16:29, daveb <nginx-forum at forum.nginx.org> wrote:
>
> Hello,
>
> I'm trying to load the cert/key from a variable, based on the documentation
> here:
>
> https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
>
> Using this configuration:
>
> <snip>
> server {
> listen 19099 ssl;
>
> set $mycert "-----BEGIN CERTIFICATE----- ...";
> set $mypkey "-----BEGIN PRIVATE KEY----- ...";
> ssl_certificate "data:$mycert";
> ssl_certificate_key "data:$mypkey";
>
> <snip>
>
> When I connect to port 19099, nginx reports this error (v 1.19.7)
>
> [error] 16408#0: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX()
> failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting:
> TRUSTED CERTIFICATE) while SSL handshaking, client: 127.0.0.1, server:
> 0.0.0.0:19099
The error indicates an empty value.
This is because "set" variables are not yet handled while SSL handshaking.
You might want to replace it with e.g. geo or map that use global context.
The more intended way is loading certificates with perl or njs:
https://hg.nginx.org/nginx-tests/file/tip/ssl_certificate_perl.t
--
Sergey Kandaurov
More information about the nginx
mailing list