VHost Templates with SSL certificates

markc

New Member
#1
I have a Template set up and in the "SSL -> Private Key File" section I have /etc/ssl/$VH_NAME/privkey.pem and added a member virtual host but the default SSL certificate applied from the SSL listener always comes up. Is it possible to use $VH_NAME (or $VH_DOMAIN) as part of a "Private Key File" entry in a template?

If not then what is the best practice for applying "dynamic" SSL certificates per member vhost when using VHost Templates?

The only thing I can think of is to use dedicated vhost entries with a hard-wired path to the certificates but then what is the point of using templates if you can't "dynamically" declare a different certificate per vhost?
 

Cold-Egg

Administrator
#2
Hi,

Virtual host or template should be able to overwrite the listener's certificate. Can you try restarting the web server and see check it again on incognito browser?
 

markc

New Member
#3
Yes, a "Virtual Hosts" entry will override the listeners' certificate but, so far, I can't get a templated vhost member to pick up the $VH_NAME defined certificate paths. The Templates -> Member Virtual Hosts -> SSL -> Private Key File (for example) of /etc/ssl/$VH_NAME/privkey.pem should work, I would expect, unless using $VH_NAME is not allowed for that setting?

For Nginx, all certificate paths have to be hardwired (using config vars won't work) because the certificates need to b available at the beginning of the https request before SNI/vhost magic can work and figure out which vhost is involved. If the same situation exists for openlitespeed then I can understand why it might not work but then this would render the entire vhost template concept useless for https vhosts.

EDIT: in conf/httpd_config.conf, this does not work but if I uncomment the hardwired example.com lines then it does work. So a $VH_NAME variable does not work in a Listeners SSL config. I know this is not the Template config. I just wanted to confirm this point for a listener one way or another.

Code:
serverName                example.com
listener SSL {
  address                 *:443
  secure                  1
  keyFile                 /etc/ssl/$VH_NAME/privkey.pem
  certFile                /etc/ssl/$VH_NAME/fullchain.pem
#  keyFile                 /etc/ssl/example.com/privkey.pem
#  certFile                /etc/ssl/example.com/fullchain.pem
  certChain               1
}
Doh! This works, even when using only Member Virtual Hosts -> Virtual Host Name with an empty Domain Name column...
Code:
  keyFile                 /etc/ssl/$VH_DOMAIN/privkey.pem
  certFile                /etc/ssl/$VH_DOMAIN/fullchain.pem
 
Last edited:

Cold-Egg

Administrator
#4
I just tested ACME cert apply and set `/root/.acme.sh/certs/$VH_NAME/$VH_NAME.key` in the template and it it works.
here's my config
Code:
    <vhssl>
      <keyFile>/root/.acme.sh/certs/$VH_NAME/$VH_NAME.key</keyFile>
      <certFile>/root/.acme.sh/certs/$VH_NAME/fullchain.cer</certFile>
      <certChain>1</certChain>
    </vhssl>
 

markc

New Member
#5
Is that definitely in one of your template config files?
Code:
~ grep -A4 vhssl /usr/local/lsws/conf/templates/vhosts.conf
  vhssl  {
    keyFile               /etc/ssl/$VH_DOMAIN/privkey.pem
    certFile              /etc/ssl/$VH_DOMAIN/fullchain.pem
    certChain             1
  }
If I use $VH_NAME instead of $VH_DOMAIN above then SSL for the member vhost entries do not work for me.
 

edan

New Member
#7
Hi, I am also having problem in putting relative path in the SSL on the listener section, I can have it in the vhost level of the ssl, but not at the listener, I had to put the full path of the cert/ key files. Can anyone assist?
 
Top