Re: [users@httpd] dynamic ssl cert/key selection
On Fri, Oct 20, 2023 at 5:31 PM Marc wrote: [...] > >ServerAlias test.*.* [...] > > > > A trivial and safe way if you need a solution asap might involve declaring > > a for each host. > > I would like to have single access/error log for all these serveralias > matches. That's no problem, multiple vhosts can write into the same access/error logs. > > I’ve not seen globbing/wildcarding like this, and also makes me curious is > > it possible to get a public key signed by a CA with this globbing pattern? > > yes I am getting the certs like this. I just want to prevent creating the > vhosts I think what he ment is whether CAs issue wildcard certificates like test.*.*. They don't, and that wouldn't work anyway, since only one * is allowed, only at the beginning, and only representing a single level of host names. Concerning your problem, I think you're stuck with creating multiple vhosts if you want to use httpd with multiple separate certificates. If you can get a single certificate with all your hostnames as SAN entries, that would work as well. As an alternative, you could use OpenResty as an SSL offloader, and load your certificates on demand using some lua code in ssl_certificate_by_lua_block (https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_block) Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] dynamic ssl cert/key selection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -. F1 Outsourcing Development Sp. z o.o. Poland t: +48 (0)12 4207 835 e: m...@f1-outsourcing.eu > -Original Message- > From: Will Fatherley > Sent: Friday, 20 October 2023 16:04 > To: users@httpd.apache.org > Subject: Re: [users@httpd] dynamic ssl cert/key selection > > > Is there a way to chose what ssl certs/keys to load when you have > something like > >ServerAlias test.*.* > > So when host test.example.com <http://test.example.com> is serviced, > that it will get > > SSLCertificateFile "/etc/pki/tls/certs/example.com.crt" > > > So when host test.example.net <http://test.example.net> is serviced, > that it will get > > SSLCertificateFile "/etc/pki/tls/certs/example.net.crt" > > > A trivial and safe way if you need a solution asap might involve declaring > a for each host. I would like to have single access/error log for all these serveralias matches. > I’ve not seen globbing/wildcarding like this, and also makes me curious is > it possible to get a public key signed by a CA with this globbing pattern? yes I am getting the certs like this. I just want to prevent creating the vhosts - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] dynamic ssl cert/key selection
> Is there a way to chose what ssl certs/keys to load when you have > something like > > ServerAlias test.*.* > > So when host test.example.com is serviced, that it will get > > SSLCertificateFile "/etc/pki/tls/certs/example.com.crt" > > > So when host test.example.net is serviced, that it will get > > SSLCertificateFile "/etc/pki/tls/certs/example.net.crt" A trivial and safe way if you need a solution asap might involve declaring a for each host. I’ve not seen globbing/wildcarding like this, and also makes me curious is it possible to get a public key signed by a CA with this globbing pattern? If it’s not, there’s probably a good reason, and it might therefore be a reason to avoid designing it into your configurations. A helpful hint for you is to look at the “context” entry for each directive you want to use in the man pages. SSLCertificateFile, as seen in the mod_ssl man page, has “server config” and “virtual host” contexts listed. This indicates that it can’t be used in an directive. That doesn’t mean it’s not possible to have some idiomatic and/or elegant solution that involves the globbing pattern.
[users@httpd] dynamic ssl cert/key selection
Is there a way to chose what ssl certs/keys to load when you have something like ServerAlias test.*.* So when host test.example.com is serviced, that it will get SSLCertificateFile "/etc/pki/tls/certs/example.com.crt" So when host test.example.net is serviced, that it will get SSLCertificateFile "/etc/pki/tls/certs/example.net.crt"