Is this %1 field based on the hostname requested by the client? If so, I doubt it would be available in the same form for certificates because some clients don’t send any hostname at the TLS layer.
Yes, as described in https://httpd.apache.org/docs/2.2/mod/mod_vhost_alias.html - this is derived from the requested URI, more precisely the hostname part.
When this occurs, we are on http layer - this is a http request, and the server, at this point, knowns the request and parses that into a path/filename.
so, it is not failing because of lack of servername info.
it is perfectly possible that i m missing something here - but:
can we agree that
in a virtual host scenario,
the http server picks the appropriate SSL cert based on the http request, as the cert is domain/host specific.
so, at this point, the http server knows the http request - else the whole vhost_alias would have to fail - which it does not.
Yes, you’re missing something indeed. Apache is indeed able to differentiate between name based virtualhosts, also with TLS capabilities. But different from the non-TLS situation, it doesn’t use the HTTP Host header for that feature. It’s called Server Name Indication and is part of SSL/TLS, not HTTP. And not every OS/client combination is equipped with that feature, as @schoen already pointed out.
Ofcourse, you might argue why mod_ssl wouldn’t use SNI for dynamic certificate loading, but that’s not how mod_ssl works. As far as I know, all the TLS related directives are parsed at the start of Apache, not per connection.
As Apache is open source however, you might want to code a patch if you really want dynamic certificate loading! Happy coding
hehe - now we are talking - yes, i am aware i am not the first person who would wanna code a bridge between SNI and mod_ssl.
however, while i agree with what you say, i dont think it addresses my question - which in fact is only about dynamically finding a path to a file, based on info that the httpd server obviously has, at that point in time, as it can determine document root based on that.
i ll experiment with this a bit more and maybe be able to explain better.
thanks for the pointers @Osiris and @schoen -
they helped me finding a solution which is almost what i wanted.
mod_vhost_alias does the dynamic stuff, while i have to script Virtual Hosts including certs at startup.
(i might try mod_macro to do this more elegantly)
i guess the crucial point is really this:
While i have access to %0 per connection, obviously i dont have that at startup
but at least i now have all domains on one IP, and mod_vhost_alias co-existing with LE.
that's good already.
thank you again.
s.
Just wanting to know what your final fix was.
I too have mod_vhost_alias doing the dynamic stuff by VirtualDocumentRoot, but I’m not quite following what you have done with the certs and Virtual Hosts.
Were you able to use %0 to specify the cert path per connection?
