Hello,
Here is my current conf
server {
listen 443;
server_name ~^(.*)\.sub\.domain\.com$
ssl on;
ssl_certificate $cookie_ident/$1.crt;
ssl_certificate_key $cookie_ident/$1.key;
server_tokens off;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1 SSLv3;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;
autoindex off;
root /upla/http/www.domain.com;
port_in_redirect off;
expires 10s;
#add_header Cache-Control "no-cache,no-store";
#expires max;
add_header Pragma public;
add_header Cache-Control "public";
location / {
try_files $uri /$request_uri =404;
}
}
I would like to be able to "load" the right cert according to the cookie set and request uri.
A sort of dynamic setting.
But of course, when I start nginx, it complains :
SSL: error:02001002:system library:fopen:No such file or directory:
Perfectly normal since $cookie_ident is empty and no subdomain has been requested.
So, what is the workaround I could use to avoid creating one file per new (self-signed)certificate issued ?
I cannot use only one certificate for all since I have to be able to revoke the certs with granularity.
How should I make it work ?
Thanks
Here is my current conf
server {
listen 443;
server_name ~^(.*)\.sub\.domain\.com$
ssl on;
ssl_certificate $cookie_ident/$1.crt;
ssl_certificate_key $cookie_ident/$1.key;
server_tokens off;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1 SSLv3;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;
autoindex off;
root /upla/http/www.domain.com;
port_in_redirect off;
expires 10s;
#add_header Cache-Control "no-cache,no-store";
#expires max;
add_header Pragma public;
add_header Cache-Control "public";
location / {
try_files $uri /$request_uri =404;
}
}
I would like to be able to "load" the right cert according to the cookie set and request uri.
A sort of dynamic setting.
But of course, when I start nginx, it complains :
SSL: error:02001002:system library:fopen:No such file or directory:
Perfectly normal since $cookie_ident is empty and no subdomain has been requested.
So, what is the workaround I could use to avoid creating one file per new (self-signed)certificate issued ?
I cannot use only one certificate for all since I have to be able to revoke the certs with granularity.
How should I make it work ?
Thanks