On Thu, 15 Jan 2015 21:13:21, Rainer Duffner wrote:
> > Am 15.01.2015 um 20:50 schrieb Gabriel L. Somlo <gsomlo@gmail.com>:
> >
> > There is no consistency across the set of vserver host names (and
> > therefore not much to be gained by using wildcards in the certificate
> > common or alt name fields).
>
> Just issue a certificate for *.*.* and always serve that.
>
> At least, until the CAB-forum decides this is a not a good idea and
> stops browsers from accepting it.
> I think the above certificate should still be legal, but I?m not 100% sure.

I'm afraid it's already too late for that :(

Since some of my vserver names look like "foo.com" and others like
"foo.bar.org", I already tried (using alt_names):

*.*, *.*.*

and

*.com, *.*.com, *.org, *.*.org, *.net, *.*.net

both forms causing warning popups on any recent (windows7-era) browser.

Apparently, the current policy in effect is not to accept tld-wide
wildcards, much less wildcards across ALL tlds ([*.]*.*).

Since I'm already mass-scripting the csr generation and cert signing
for each vserver, it should be really simple to script generating the
corresponding nginx config file, but allowing demand-driven, request-time
loading of certificate files would work around that enormous ugliness :)

Thanks,
--Gabriel

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx