nginx configure wildcard domains with different certificates

Question

In my little virtual-hosts config with nginx I encountered a new problem.

I tried to setup a "webmail" subdomain for every one of my virtual hosts using a server_name wildcard

server_name ~^(webmail\.)?(?<domain>.+)$;

as all my domains have their own ssl-certificate I would like to use the right one for the webmail-subdomains too. The certificates are configured as wildcard-certs as in *.domain1.com etc.

So webmail.domain1.com should use the cert for *.domain1.com whereas webmail.domain2.net should use the *.domain2.net cert.

I tried the following as a first guess but could not start nginx because it does not accept the variable in the path:

ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem;

Is there a way to achieve this configuration with a single config-file covering all webmail.* subdomains?

Answer 1

Yes, but not the way you are hoping...

The problem you have is that nginx needs to terminate the SSL before it can read the stream content to get the Host header to set the server_name to decide which certificate and key are needed to terminate the SSL. That's why variables and maps will never work, because they can't yet exist at the point when nginx needs to read the certificate.

(I believe there are Lua functions in OpenResty that deal with certificate handling, but I think this is more about certificate life-cycles rather than choosing one on-the-fly per request which is what you want.)

The way to achieve this is to script your conf generation, using perl, python, bash, whatever you're comfortable with. Describe a common server block template that only needs to be given the domain name, and generate a copy of that for each domain. They can be all in one file, or included from separate files, whatever works for you.

Tip: If you name a conf file with a dot prefix, like .server-tpl.conf, then it will be ignored by the usual include conf.d/*.conf. That way, you can keep this template together with your other conf files, but only the populated copy(s) will be loaded.