Lighttpd

am I doing something wrong?

Did you share what you are doing? How to get help

The documentation is correct in both places. Still, I have adjusted Docs_SSL to try to make it clearer for the default use case.

(If you need different certs on different ports for the same SNI hostname, then $SERVER["socket"] conditionals must be used to differentiate, but that is not a common use case.)

gstrauss wrote in RE: TLS per vhost and SNI:

am I doing something wrong?

Did you share what you are doing? How to get help

Alright I should clarify exactly what I did.

Intention: to have 2 virtual hosts with different domains on the same IP (test-1.com and test2.com). Both domains should have their own SSL certificates.

What I did: Following the vhosts.template I declare the domains test-1.com and test-2.com and the location of their certificates. Following the information in the default lighttpd.conf I also add the following lines to lighttpd.com

#### lighttpd.conf
server.modules += ( "mod_openssl" )
$SERVER["socket"] == "*:443" {
  ssl.engine  = "enable" 
  ssl.privkey = "/path/to/privkey.pem" 
  ssl.pemfile = "/path/to/fullchain.pem" 
}

#### test-1.conf
$HTTP["host"] == "test-1.com" {
  var.server_name = "test-1.com"" 
  server.name = server_name
  server.document-root = vhosts_dir + "/web/" + server_name + "/htdocs" 

  ssl.pemfile = vhosts_dir + "/web/" + server_name + "/certs/fullchain1.pem" 
  ssl.privkey = vhosts_dir + "/web/" + server_name + "/certs/privkey1.pem" 

  accesslog.filename          = log_root + "/" + server_name + "/access.log" 
  server.errorlog             = log_root + "/" + server_name + "/error.log" 
}

Outcome: as mentioned in the documentation `https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#SSL-on-multiple-domains`, when visiting test-1.com or test-2.com the browser is served the certificate declared in the lighttpd.conf instead of the one declared in the vhost config file, causing a browser warning.

What instead I should have done (according to my understanding): following the documentation linked above, in lighttpd.conf do the following

$SERVER["socket"] == "*:443" {
  ssl.engine  = "enable" 
  ssl.privkey = "/path/to/privkey.pem" 
  ssl.pemfile = "/path/to/fullchain.pem" 

  $HTTP["host"] == "test-1.com" {
    ssl.privkey = "/path/to/privkey1.pem" 
    ssl.pemfile = "/path/to/fullchain1.pem" 
  }
  $HTTP["host"] == "test-2.com" {
    ssl.privkey = "/path/to/privkey2.pem" 
    ssl.pemfile = "/path/to/fullchain2.pem" 
  }
}

If this is the correct course of action, I think the vhost.template is confusing.

If it is necessary to use the conditional `$SERVER["socket"] == "*:443"` a second time within the scope of the vhost declaration it should be noted explicitly, perhaps by including it in the vhost template.

You presumed the documentation was wrong. It was not and is not wrong. The distinction is not meaningful if you have a single TLS socket on port 443.

am I doing something wrong?

Very likely.

You failed to follow the instructions in How to get help

My guess is that your lighttpd config did not include your vhosts.template file or wherever you put that part of your intended config.

I must apologize, I was frustrated and confused.

I tried to reconfigure from scratch and realized the documentation is not misleading at all and that I just must have made some mistake beforehand that I can't even replicate any longer.

Though my current configuration may not be optimal, it does exactly what I need it to do.

If anybody ever sees the previous post, please disregard it, it is bad. Follow the information inside the default lighttpd.conf and vhost.template instead