1

Inherited lighttpd server, I'm somewhat clueless on it. Trying to use SNI to install a 3rd SSL cert without another IP. Currently the SSL config in lighttpd.conf looks like so:

$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.pemfile = "/etc/ssl/private/domain1.com.pem"
  ssl.ca-file = "/etc/ssl/private/chain.cer"
  $HTTP["host"] == "domain2.com" {          
     ssl.pemfile = "/etc/ssl/private/domain2.com.pem"
     ssl.ca-file = "/etc/ssl/private/chain.cer"
  }
}

Trying to add the 3rd cert, like so:

$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.pemfile = "/etc/ssl/private/domain1.com.pem"
  ssl.ca-file = "/etc/ssl/private/chain.cer"
  $HTTP["host"] == "domain2.com" {          
     ssl.pemfile = "/etc/ssl/private/domain2.com.pem"
     ssl.ca-file = "/etc/ssl/private/chain.cer"
  }
  $HTTP["host"] == "domain3.com" {          
     ssl.pemfile = "/etc/ssl/private/domain3.com.pem"
  }
}

Something not working about it, lighttpd won't start/restart when the config looks like this.

the.s.brom
  • 41
  • 5

1 Answers1

2

Is your domain3.com.pem file correct?

Lighttpd uses a slightly less common construction where the ssl.pemfile should not only contain the signed certificate that your CA returned to you, it should also contain the associated private key.

It should look like:

-----BEGIN CERTIFICATE-----
ABC...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
ABC...
-----END PRIVATE KEY----
HBruijn
  • 77,029
  • 24
  • 135
  • 201