Dynamic ssl certificate (wildcard+ multiple different certs)

Detlef_R · January 9, 2014, 5:28pm

Hello,

Here is my current conf

server {
listen 443;

server_name ~^(.*)\.sub\.domain\.com$

ssl    on;
ssl_certificate    $cookie_ident/$1.crt;
ssl_certificate_key    $cookie_ident/$1.key;
server_tokens off;

ssl_protocols TLSv1.2 TLSv1.1 TLSv1 SSLv3;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache builtin:1000 shared:SSL:10m;

ssl_ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;

autoindex off;
root /upla/http/www.domain.com;
port_in_redirect off;
expires 10s;
#add_header Cache-Control "no-cache,no-store";
#expires max;
    add_header Pragma public;
    add_header Cache-Control "public";

location / {

  try_files $uri /$request_uri =404;

}

}

I would like to be able to “load” the right cert according to the cookie
set
and request uri.

A sort of dynamic setting.

But of course, when I start nginx, it complains :
SSL: error:02001002:system library:fopen:No such file or directory:

Perfectly normal since $cookie_ident is empty and no subdomain has been
requested.

So, what is the workaround I could use to avoid creating one file per
new
(self-signed)certificate issued ?

I cannot use only one certificate for all since I have to be able to
revoke
the certs with granularity.

How should I make it work ?

Thanks

Posted at Nginx Forum:

larry · January 9, 2014, 5:41pm

Certificates are selected and presented by the server before the
client even has the chance to send any cookies, the latter
happening after the »TLS handshake«.

2014/1/9 Larry [email protected]:

larry · January 9, 2014, 5:53pm

So, what is the workaround I could use to avoid creating one file per new
(self-signed)certificate issued ?
I cannot use only one certificate for all since I have to be able to
revoke the certs with granularity.

If you don’t want to use file/certificate per domain but the same time
can’t
work arround it with a wildcard certificate it (imo) leaves just one
option - to create a certificate including all the exact domains and
whenever there are some changes (expiration or a new domain added)
regenerate the cert.

p.s. you can do something like that even with non self-signed
certificates -
for example (while manually) Godaddy lets you add or remove domains to
their
“Multiple Domains UCC” certs (up to 100 domains) on the fly (the
expiration
of the whole cert remains).

rr

larry · January 9, 2014, 8:01pm

Thanks,

I left the cookies out of this context right now I understand.

But since there is a http request first why doesn’t nginx is able to
switch
to the right certificate accordingly ?

Without obliging me to create a new entry for each (which is the route I
am
going to take)?

Posted at Nginx Forum:

larry · January 9, 2014, 5:46pm

On 9 January 2014 16:28, Larry [email protected] wrote:

I would like to be able to “load” the right cert according to the cookie set
and request uri.
A sort of dynamic setting.
So, what is the workaround I could use to avoid creating one file per new
(self-signed)certificate issued ?

Your problem is that, irrespective of Nginx’s feelings about using a
variable in the ssl_certificate directive, what you’re trying to
configure is a HTTP/SSL layering violation.

The information you want to use to choose the correct cert is
communicated inside the HTTP request (usually people ask about using
the Host header; you’re asking here about cookies). But this
information is not available to the SSL libraries until /after/ the
SSL channel has been set up - which can’t be done until a cert has
been selected. It’s a catch-22 situation.

SNI /can/ help with this, as it transmits the host header in the clear
during SSL negotiation, but client support can prove limited (browsers
on XP, IIRC, don’t support it). I’m not sure, but I don’t believe SNI
communicates enough extra information (cookies and/or request paths)
for you to achieve what you want to here.

The usual suggestion for this situation is either to seperate out
sites, one per IP; or to look at wildcard certs or UCC/SaN certs.
You’ve mentioned self-signed certs, which suggests you may have some
control over the clients root CAs - is this the case? You could
perhaps automate UCC/SaN cert issuance based on your current whitelist
of unrevoked certs …

tl;dr Buy some IPv4 space and use an IP per subdomain.

Jonathan

larry · January 9, 2014, 9:01pm

Thanks,

I changed my strategy :
one file programmatically modified and added to the site-enabled folder

like that everything runs fine and I keep being able to meet my
requirement
of one root ca per client.

Many thanks all of you

Bye

Posted at Nginx Forum:

larry · January 9, 2014, 8:51pm

Because the certs are parsed when the config is loaded so that you can
have
a SSL context right from the start. Well before the HTTP layer is
touched.
If you want dynamic cert loading you have to do it yourself.

At a time I tried that by following a simpler path of modifying stud so
that it does on the fly cert loading. Never pursued it further. The
thing
is you need a context right from the start and then change dynamically
to
use the server name, AFAICT.

Le 9 janv. 2014 20:00, “Larry” [email protected] a crit :

Thanks,

I left the cookies out of this context right now I understand.

But since there is a http request first why doesn’t nginx is able to
switch
to the right certificate accordingly ?

Without obliging me to create a new entry for each (which is the route I
am
going to take)?

Posted at Nginx Forum:
Re: Dynamic ssl certificate ? (wildcard+ multiple different certs)