Apache Module mod_vhost_alias & LE

hi all,

i m really happy with using LE, except that i cant get it to work for mass hosting servers,
where i m using
Apache Module mod_vhost_alias

Doc roots are constructed like this:

VirtualDocumentRoot /var/www/sites/%-1/%-2+/html

Q: is there a way to assign certificates in a similar way, like so:

SSLCertificateFile /etc/letsencrypt/live//%0/cert.pem

I know how to make LE certs work for VirtualHosts, manually, however it would be great to be able to do this automated.

grateful for any pointer,


Is this %1 field based on the hostname requested by the client? If so, I doubt it would be available in the same form for certificates because some clients don’t send any hostname at the TLS layer.

Yes, as described in https://httpd.apache.org/docs/2.2/mod/mod_vhost_alias.html - this is derived from the requested URI, more precisely the hostname part.
When this occurs, we are on http layer - this is a http request, and the server, at this point, knowns the request and parses that into a path/filename.
so, it is not failing because of lack of servername info.

You do realise the HTTP layer is only applicable after the TLS layer has been established?

it is perfectly possible that i m missing something here - but:

can we agree that
in a virtual host scenario,
the http server picks the appropriate SSL cert based on the http request, as the cert is domain/host specific.
so, at this point, the http server knows the http request - else the whole vhost_alias would have to fail - which it does not.

Yes, you’re missing something indeed. Apache is indeed able to differentiate between name based virtualhosts, also with TLS capabilities. But different from the non-TLS situation, it doesn’t use the HTTP Host header for that feature. It’s called Server Name Indication and is part of SSL/TLS, not HTTP. And not every OS/client combination is equipped with that feature, as @schoen already pointed out.

Ofcourse, you might argue why mod_ssl wouldn’t use SNI for dynamic certificate loading, but that’s not how mod_ssl works. As far as I know, all the TLS related directives are parsed at the start of Apache, not per connection.

As Apache is open source however, you might want to code a patch if you really want dynamic certificate loading! Happy coding :smile:

hehe - now we are talking - yes, i am aware i am not the first person who would wanna code a bridge between SNI and mod_ssl. :slight_smile:

however, while i agree with what you say, i dont think it addresses my question - which in fact is only about dynamically finding a path to a file, based on info that the httpd server obviously has, at that point in time, as it can determine document root based on that.
i ll experiment with this a bit more and maybe be able to explain better.


thanks for the pointers @Osiris and @schoen -
they helped me finding a solution which is almost what i wanted.
mod_vhost_alias does the dynamic stuff, while i have to script Virtual Hosts including certs at startup.
(i might try mod_macro to do this more elegantly)

i guess the crucial point is really this:

While i have access to %0 per connection, obviously i dont have that at startup :slightly_smiling:

but at least i now have all domains on one IP, and mod_vhost_alias co-existing with LE.
that's good already.
thank you again.

Hi @sebastianb,

Just wanting to know what your final fix was.
I too have mod_vhost_alias doing the dynamic stuff by VirtualDocumentRoot, but I’m not quite following what you have done with the certs and Virtual Hosts.
Were you able to use %0 to specify the cert path per connection?

Could you enlighten me please.