Bug #3200
closedCorrect SSL SNI config produces errors in log
Description
Hello, i have noticed some weird lighttpd behaviour when configuring SNI SSL.
$SERVER["socket"] == "0.0.0.0:443" {
include "/etc/lighttpd/ssl-common.conf"
ssl.pemfile = "/etc/lighttpd/ssl.d/wildcard.xxx.com.pem"
ssl.ca-file = "/etc/lighttpd/ssl.d/xxx.crt"
$HTTP["host"] == "ad.tubeadnetwork.com" {
ssl.pemfile = "/etc/letsencrypt/live/yyy.com/haproxy.pem"
ssl.ca-file = "/etc/letsencrypt/live/yyy.com/fullchain.pem"
}
}
Both certificates on xxx.com (wildcard) and yyy.com (letsencrypt) work as expected. However when running lighttpd -tt -f lighttpd.conf i'm getting:
ssl.pemfile is valid only in global scope or $SERVER["socket"] condition
Same is true when starting the server. I'm getting the same error from mod_openssl.c.2532, however everything works correctly.
Updated by gstrauss about 1 year ago
- Status changed from New to Duplicate
ssl.pemfile is valid only in global scope or $SERVER["socket"] condition
Fixed in lighttpd 1.4.69. See #3182
Separately, please review Docs_SSL.
You have not shared "/etc/lighttpd/ssl-common.conf" and probably have not read Docs_SSL in many years.
You should put include "/etc/lighttpd/ssl-common.conf" in the global scope and the settings will be inherited by $SERVER["socket"] conditions.
ssl.ca-file is deprecated, as it is often misunderstood and uses a misfeature of openssl.
You should preferssl.pemfile = "/path/to/fullchain.pem"ssl.privkey = "/path/to/privkey.pem"
Updated by gstrauss about 1 year ago
- Is duplicate of Bug #3182: Test config reports invalid ssl.pemfile in $HTTP["host"] condition added
Also available in: Atom