5

I'm trying to dynamically read the location of the SSL certificates depending on which url was used to connect to my server. I have attempted a few different ways but none seem to work. Currently I have the config as noted below

UseCanonicalName Off

listen 443

<VirtualHost *:443>
  ServerName example
  ServerAlias *

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/%0/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/%0/privkey.pem

  VirtualDocumentRoot /var/www/vhosts/%-2/%-3+/public
</VirtualHost>

The problem here is that when I start apache I get an error saying it can't find the file location for the ssl certificate stating '/etc/letsencrypt/live/%0/cert.pem'

So it seems the %0 is not being replaced by the url.

Edit: When I replace only %0 by the url manually then said url has working SSL

Fennek
  • 197
  • 1
  • 11

1 Answers1

2

From the documentation:

The variable %0 references the requested servername, as indicated in the Host: header.

The Host header is part of the HTTP request. The HTTP request is only available after the successful TLS handshake. The certificate is needed for this handshake. Thus, %0 can not be used to specify the path to the certificate.

I doubt that any other variables will be possible for this purpose since the certificates are loaded at startup and thus the file names have to be available already at start.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • If this is the case, how does apache initially know which virtual host it should talk to? I suppose it uses a different source to get the servername from. Can't I also use this same source? – Fennek Jan 13 '17 at 14:25
  • @Fennek: I'm not sure what you are asking. Apache does not "talk to" any virtual host but Apache is the server for this host. And for all virtual hosts you want to have you'll provide a virtual host configuration with the specific ServerName and certificate. – Steffen Ullrich Jan 13 '17 at 15:51
  • I'm sorryf or the bad wording. I'm aware it doesn't talk to a host. What I mean is how does apache know initially which vhost's certificate it should send out? At whichever point apache decides this, can't I make the certificate selection there dynamic instead of having it 'hard coded' into the vhost config file? – Fennek Jan 18 '17 at 11:38
  • I'm not fully aware of how apache works under the hood so excuse me if my question is weird. – Fennek Jan 18 '17 at 11:39
  • @Fennek: the decision which certificate to serve is done based on the content of the SNI TLS extension in the ClientHello message, i.e. during the TLS handshake. Like I said in my response, the TLS handshake is done before the HTTP request is done so `%0` is not populated from the Host header (contained in the HTTP request) at the time of the TLS handshake. – Steffen Ullrich Jan 18 '17 at 21:00