On 04.07.20 21:08, Maksym Zinchenko wrote:
So now im facing this issues:
1) Some of the domains are not mine and belong to some clients, they
might have their own certificates they bought.
2) Also I don't know how many clients I will have in the future, so
everytime I add a new domain I need to regenerate multi-domain SAN
cert (they are really expensive and I can't afford it)
i see, i am having probably too much the letsencrypt world in mind.
I thought it was more simple like:
1) Load nsssl globally
2) Define "defaultserver" and certificate for this "defaultserver"
3) Define different certificates for each domain in ns_section
"ns/server/${server}/module/nsssl
You want probably all these virtual servers listening on the same port
(if not, just load multiple drivers for different ports).
With the single port, there is a chicken-egg problem: the right certificate
is needed at the time the connection is opened, and the virtual server can
be only detected while reading the request header.
This is a well known problem, for which the SNI TLS extension was invented
(a hostname that can be used for identifying the certificate is passed
during the TLS handshake as well). Currently, NaviServer supports SNI only
at the client side (in ns_http), but not at the server side. It is not
overly
complicated to implemented this, but not trivial either, and will take
some effort.
So, for the time being, we have no such support in NaviServer.
all the best
-gn
[1] https://en.wikipedia.org/wiki/Server_Name_Indication
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
