Welcome! Log In Create A New Profile

Advanced

Dynamic/Wildcard SSL certificates with SNI ?

Previous Message Next Message
Forum List Message List New Topic Print View
Gabriel L. Somlo
January 15, 2015 02:52PM
Hi,

I'm working on a "Web simulator" designed to serve a large number of
web sites on a private, self-contained network, where I'm also in
control of issuing SSL certificates.

The relevant bits of my nginx.conf look like this:

server {
listen 80 default_server;
server_name $http_host;
root /var/www/vservers/$http_host;
index index.html index.htm;
}

ssl_certificate_key /var/www/vserver_certs/vserver.key;

server {
listen 443 default_server;
ssl on;
ssl_certificate /var/www/vserver_certs/vserver.cer;
server_name $http_host;
root /var/www/vservers/$http_host;
index index_html index.htm;
}


There is no consistency across the set of vserver host names (and
therefore not much to be gained by using wildcards in the certificate
common or alt name fields).

Right now, I'm trying to cram all of my vserver host names into the
alt_names field of the "vserver.cer" certificate, but I'm bumping up
against the 16k limit of the cert file size, after which browsers
start rejecting it with an error.

I'd like to generate per-vserver certs, and dynamically select the
correct certificate file based on the SSI-negotiated server name,
like so:

server {
listen 443 default_server;
ssl on;
ssl_certificate /var/www/vserver_certs/$ssl_server_name.cer;
server_name $http_host;
root /var/www/vservers/$http_host;
index index_html index.htm;
}

but nginx doesn't seem to currently support this (it wants to open the
certificate file at startup time, and doesn't appear to allow variable
expansion in the cert file name :(

The alternative would be to add an https server block for each vserver:

server {
listen 443;
ssl_certificate /var/www/vserver_certs/vserver1.foo.com.cer;
server_name vserver1.foo.com;
root /var/www/vservers/vserver1.foo.com;
index index_html index.htm;
}

server {
listen 443;
ssl_certificate /var/www/vserver_certs/vserver2.bar.org.cer;
server_name vserver2.bar.org;
root /var/www/vservers/vserver2.bar.org;
index index_html index.htm;
}

...
and so on, relying on SNI to match the correct block. But this could
get out of hand really fast, as I expect to be dealing with several
*thousand* vservers.

Am I missing something when attempting to dynamically use
$ssl_server_name to locate the appropriate certificate file ?

If that's not currently possible, is this something of interest to the
rest of the community, and would it be worth bringing up on the
development mailing list ?

Thanks much for any help, pointers, ideas, etc!

--Gabriel

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Dynamic/Wildcard SSL certificates with SNI ?

Gabriel L. Somlo January 15, 2015 02:52PM

Re: Dynamic/Wildcard SSL certificates with SNI ?

Rainer Duffner January 15, 2015 03:14PM

Re: Dynamic/Wildcard SSL certificates with SNI ?

Gabriel L. Somlo January 16, 2015 11:28AM

RE: Dynamic/Wildcard SSL certificates with SNI ?

Lukas Tribus January 16, 2015 11:36AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Helper code
Guests: 82
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready