Forum: NGINX Dynamic ssl certificate (wildcard+ multiple different certs)

2974d09ac2541e892966b762aad84943?d=identicon&s=25 Larry (Guest)
on 2014-01-09 17:28
(Received via mailing list)
Hello,

Here is my current conf

server {
    listen   443;

    server_name ~^(.*)\.sub\.domain\.com$

    ssl    on;
    ssl_certificate    $cookie_ident/$1.crt;
    ssl_certificate_key    $cookie_ident/$1.key;
    server_tokens off;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1 SSLv3;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 5m;
    ssl_session_cache builtin:1000 shared:SSL:10m;

    ssl_ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;


    autoindex off;
    root /upla/http/www.domain.com;
    port_in_redirect off;
    expires 10s;
    #add_header Cache-Control "no-cache,no-store";
    #expires max;
        add_header Pragma public;
        add_header Cache-Control "public";

    location / {

      try_files $uri /$request_uri =404;

    }

}

I would like to be able to "load" the right cert according to the cookie
set
and request uri.

A sort of dynamic setting.

But of course, when I start nginx, it complains :
SSL: error:02001002:system library:fopen:No such file or directory:

Perfectly normal since $cookie_ident is empty and no subdomain has been
requested.

So, what is the workaround I could use to avoid creating one file per
new
(self-signed)certificate issued ?

I cannot use only one certificate for all since I have to be able to
revoke
the certs with granularity.


How should I make it work ?

Thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,246178,246178#msg-246178
63b14eaabff5d25249a681b7b471e7c8?d=identicon&s=25 W-Mark Kubacki (Guest)
on 2014-01-09 17:41
(Received via mailing list)
Certificates are selected and presented by the server before the
client even has the chance to send any cookies, the latter
happening after the »TLS handshake«.

2014/1/9 Larry <nginx-forum@nginx.us>:
34011bc56457235a2caa5ed1d4a29f3c?d=identicon&s=25 Jonathan Matthews (Guest)
on 2014-01-09 17:46
(Received via mailing list)
On 9 January 2014 16:28, Larry <nginx-forum@nginx.us> wrote:
> I would like to be able to "load" the right cert according to the cookie set
> and request uri.
> A sort of dynamic setting.
> So, what is the workaround I could use to avoid creating one file per new
> (self-signed)certificate issued ?

Your problem is that, irrespective of Nginx's feelings about using a
variable in the ssl_certificate directive, what you're trying to
configure is a HTTP/SSL layering violation.

The information you want to use to choose the correct cert is
communicated inside the HTTP request (usually people ask about using
the Host header; you're asking here about cookies). But this
information is not available to the SSL libraries until /after/ the
SSL channel has been set up - which can't be done until a cert has
been selected. It's a catch-22 situation.

SNI /can/ help with this, as it transmits the host header in the clear
during SSL negotiation, but client support can prove limited (browsers
on XP, IIRC, don't support it). I'm not sure, but I don't believe SNI
communicates enough extra information (cookies and/or request paths)
for you to achieve what you want to here.

The usual suggestion for this situation is either to seperate out
sites, one per IP; or to look at wildcard certs or UCC/SaN certs.
You've mentioned self-signed certs, which suggests you may have some
control over the clients root CAs - is this the case? You could
perhaps automate UCC/SaN cert issuance based on your current whitelist
of unrevoked certs ...

tl;dr Buy some IPv4 space and use an IP per subdomain.

Jonathan
56080a668b706e94fb2bbe9ee727d006?d=identicon&s=25 Reinis Rozitis (Guest)
on 2014-01-09 17:53
(Received via mailing list)
> So, what is the workaround I could use to avoid creating one file per new
> (self-signed)certificate issued ?
> I cannot use only one certificate for all since I have to be able to
> revoke the certs with granularity.

If you don't want to use file/certificate per domain but the same time
can't
work arround it with a wildcard certificate it (imo) leaves just one
option - to create a certificate including all the exact domains and
whenever there are some changes (expiration or a new domain added)
regenerate the cert.


p.s. you can do something like that even with non self-signed
certificates -
for example (while manually) Godaddy lets you add or remove domains to
their
"Multiple Domains UCC" certs (up to 100 domains) on the fly (the
expiration
of the whole cert remains).

rr
2974d09ac2541e892966b762aad84943?d=identicon&s=25 Larry (Guest)
on 2014-01-09 20:01
(Received via mailing list)
Thanks,

I left the cookies out of this context right now I understand.

But since there is a http request first why doesn't nginx is able to
switch
to the right certificate accordingly ?

Without obliging me to create a new entry for each (which is the route I
am
going to take)?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,246178,246197#msg-246197
526b09f2b949aae346eda86df5827b1f?d=identicon&s=25 "António P. P. Almeida" <appa@perusio.net> (Guest)
on 2014-01-09 20:51
(Received via mailing list)
Because the certs are parsed when the config is loaded so that you can
have
a SSL context right from the start. Well before the HTTP layer is
touched.
If you want dynamic cert loading you have to do it yourself.

At a time I tried that by following a simpler path of modifying stud so
that it does on the fly cert loading. Never pursued it further. The
thing
is you need a context right from the start and then change dynamically
to
use the server name, AFAICT.


Le 9 janv. 2014 20:00, "Larry" <nginx-forum@nginx.us> a crit :
>
> Thanks,
>
> I left the cookies out of this context right now I understand.
>
> But since there is a http request first why doesn't nginx is able to
switch
> to the right certificate accordingly ?
>
> Without obliging me to create a new entry for each (which is the route I
am
> going to take)?
>
> Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,246178,246197#msg-246197
2974d09ac2541e892966b762aad84943?d=identicon&s=25 Larry (Guest)
on 2014-01-09 21:01
(Received via mailing list)
Thanks,

I changed my strategy :
one file programmatically modified and added to the site-enabled folder

like that everything runs fine and I keep being able to meet my
requirement
of one root ca per client.

Many thanks all of you

Bye

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,246178,246205#msg-246205
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.