0

So nginx-1.15.9 was released very recently with the following change:

Feature: variables support in the "ssl_certificate" and "ssl_certificate_key" directives.

I setup an instance with multiple domains pointing to the following server block. I am using dehydrated to generate the certs automatically and in their own respective folders.

However, despite trying several variations and googling for various solutions, I am not having any success in having the variables in the "ssl_certificate" and "ssl_certificate_key" directives being recognised.

  • Have verified that the certs are generated correctly (with fullchain.pem and privkey.pem)
  • The error I'm getting from navigating to the https URL directly: Secure Connection Failed
  • https works perfectly if I update the "$server_name" to the actual domain folder containing the certs

Appreciate if someone could take a look at my server block to identify what I'm doing wrong or point me in the correct direction. Thank you.

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    root /var/www/html;
    index index.php index.html index.htm;

    server_name _;

    # ssl on;
    ssl_certificate /etc/dehydrated/certs/$server_name/fullchain.pem;
    ssl_certificate_key /etc/dehydrated/certs/$server_name/privkey.pem;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/run/php/php7.2-fpm.sock;
            fastcgi_index index.php;
            include fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }
}
shiok
  • 1
  • 1
  • 1
    What's in the error log? – Michael Hampton Mar 05 '19 at 04:01
  • Ah I should have thought of checking the error log to see the output. The error is it not being able to load the certificate. $server_name simply outputs a blank. I just can't figure out what $variable to specify the current domain. I've already tried $uri and $hostname, both not giving the desired output. – shiok Mar 05 '19 at 04:13
  • You should probably read [this](https://serverfault.com/a/706439/126632). – Michael Hampton Mar 05 '19 at 04:17
  • Thanks for the link Michael. I'm actually referring to this [list](https://nginx.org/en/docs/http/ngx_http_core_module.html#variables) but I've tried $host, $server_name, $http_host to no avail. Am I not understanding them correctly but I can't seem to find the $variable to specify the actual current domain name being served. – shiok Mar 05 '19 at 04:23
  • `$host` should be it. I wouldn't expect `$server_name` to be useful, since you aren't likely to have a certificate named `_`. Maybe this feature doesn't actually work yet? – Michael Hampton Mar 05 '19 at 04:26
  • This person [managed to get it to work](https://jeremyfelt.com/2019/02/28/variable-ssl-certificate-directives-in-nginx/) and he used $server_name. I tried reaching out to him but couldn't get a reply so I assume he does not want to be bothered. – shiok Mar 05 '19 at 04:33
  • I notice that [the documentation](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate) uses `$ssl_server_name` which may be available earlier in the handshake. – Richard Smith Mar 05 '19 at 10:01

1 Answers1

-1

Make sure you are using $ssl_server_name instead of $server_name and that Nginx has read-access to your certificates.

I've made a full write up using LetsEncrypt. In your case it would look like this:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    root /var/www/html;
    index index.php index.html index.htm;

    server_name _;

    # ssl on;
    ssl_certificate /etc/dehydrated/certs/$ssl_server_name/fullchain.pem;
    ssl_certificate_key /etc/dehydrated/certs/$ssl_server_name/privkey.pem;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/run/php/php7.2-fpm.sock;
            fastcgi_index index.php;
            include fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }
}
oky
  • 1