Welcome! Log In Create A New Profile

Advanced

Re: ssl_trusted_certificate doesn't accept @server_name variable

Maxim Dounin
June 03, 2019 08:48AM
Hello!

On Mon, Jun 03, 2019 at 05:42:22AM -0400, devCU wrote:

> The following works as advertised in my vhost server block
>
> ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
> ssl_certificate_key
> /etc/letsencrypt/live/mydomain.com/privkey.pem;
> ssl_trusted_certificate
> /etc/letsencrypt/live/mydomain.com/chain.pem;
>
> To better automate vhosts en mass I tried using the $server_name variable
>
> server_name mydomain.com;
>
> ssl_certificate /etc/letsencrypt/live/$server_name/fullchain.pem;
> ssl_certificate_key
> /etc/letsencrypt/live/$server_name/privkey.pem;

This is generally a bad change. You shouldn't use variables just
to save you from writing the same name in the appropriate
directives. See here for a detailed explanation and suggestions:

http://nginx.org/en/docs/faq/variables_in_config.html

> ssl_trusted_certificate
> /etc/letsencrypt/live/$server_name/chain.pem;

This is not goint to work, as the ssl_trusted_certificate
directive does not support variables.

[...]

> If ssl_certificate and ssl_certificate accept the $server_name variable then
> how come ssl_trusted_certificate doesn't?

Variables support in ssl_certificate and ssl_certificate_key
directives address a specific use case when one cannot write a
static configuration with pre-existing certificates - e.g., when
certificates are added on a regular basis, and it is not possible
to reload nginx configuration with such a rate. Such use case is
unlikely to be applicable to ssl_trusted_certificate, and hence
there are no plans to add variables support to the
ssl_trusted_certificate directive.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

ssl_trusted_certificate doesn't accept @server_name variable

devCU June 03, 2019 05:42AM

Re: ssl_trusted_certificate doesn't accept @server_name variable

Maxim Dounin June 03, 2019 08:48AM

Re: ssl_trusted_certificate doesn't accept @server_name variable

devCU June 03, 2019 01:55PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 59
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready