Mailing List Archive

> Is there a way to chose what ssl certs/keys to load when you have
> something like
>
> ServerAlias test.*.*
>
> So when host test.example.com is serviced, that it will get
>
> SSLCertificateFile "/etc/pki/tls/certs/example.com.crt"
>
>
> So when host test.example.net is serviced, that it will get
>
> SSLCertificateFile "/etc/pki/tls/certs/example.net.crt"


A trivial and safe way if you need a solution asap might involve declaring
a <vhost> for each host.

I’ve not seen globbing/wildcarding like this, and also makes me curious is
it possible to get a public key signed by a CA with this globbing pattern?
If it’s not, there’s probably a good reason, and it might therefore be a
reason to avoid designing it into your configurations.

A helpful hint for you is to look at the “context” entry for each directive
you want to use in the man pages. SSLCertificateFile, as seen in the
mod_ssl man page, has “server config” and “virtual host” contexts listed.
This indicates that it can’t be used in an <if> directive. That doesn’t
mean it’s not possible to have some idiomatic and/or elegant solution that
involves the globbing pattern.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -.
F1 Outsourcing Development Sp. z o.o.
Poland

t: +48 (0)12 4207 835
e: marc@f1-outsourcing.eu

> -----Original Message-----
> From: Will Fatherley <wefatherley@gmail.com>
> Sent: Friday, 20 October 2023 16:04
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] dynamic ssl cert/key selection
>
>
> Is there a way to chose what ssl certs/keys to load when you have
> something like
>
> ServerAlias test.*.*
>
> So when host test.example.com <http://test.example.com> is serviced,
> that it will get
>
> SSLCertificateFile "/etc/pki/tls/certs/example.com.crt"
>
>
> So when host test.example.net <http://test.example.net> is serviced,
> that it will get
>
> SSLCertificateFile "/etc/pki/tls/certs/example.net.crt"
>
>
> A trivial and safe way if you need a solution asap might involve declaring
> a <vhost> for each host.

I would like to have single access/error log for all these serveralias matches.

> I’ve not seen globbing/wildcarding like this, and also makes me curious is
> it possible to get a public key signed by a CA with this globbing pattern?

yes I am getting the certs like this. I just want to prevent creating the vhosts



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

On Fri, Oct 20, 2023 at 5:31?PM Marc <Marc@f1-outsourcing.eu> wrote:

[...]
> > ServerAlias test.*.*
[...]
> >
> > A trivial and safe way if you need a solution asap might involve declaring
> > a <vhost> for each host.
>
> I would like to have single access/error log for all these serveralias matches.

That's no problem, multiple vhosts can write into the same access/error logs.

> > I’ve not seen globbing/wildcarding like this, and also makes me curious is
> > it possible to get a public key signed by a CA with this globbing pattern?
>
> yes I am getting the certs like this. I just want to prevent creating the vhosts

I think what he ment is whether CAs issue wildcard certificates like
test.*.*. They don't, and that wouldn't work anyway, since only one *
is allowed, only at the beginning, and only representing a single
level of host names.

Concerning your problem, I think you're stuck with creating multiple
vhosts if you want to use httpd with multiple separate certificates.
If you can get a single certificate with all your hostnames as SAN
entries, that would work as well.

As an alternative, you could use OpenResty as an SSL offloader, and
load your certificates on demand using some lua code in
ssl_certificate_by_lua_block
(https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_block)

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org