support per-vhost certs in mod_vhost_ldap

[quentin]

Per help.mit.edu 569297, we should support per-vhost certificates by adding code to mod_vhost_ldap

[ Note that the status quo is that per-vhost certs are stored in LDAP, and then exported to disk by /etc/httpd/export-scripts-certs. The goal is to remove that "export to disk" stage. ]

[price]

I requested an OID from jis, which will enable us to extend the LDAP schema as necessary.

(The mail was cc'd to s-m-r.)

[andersk]

Also ​645078.

[presbrey]

Depends: #55.

[andersk]

#55 is unrelated. (This ticket is about supporting certificates for Joe Random Scripts User's vhost, hostname.mit.edu. Barring a minor miracle, we’re never going to be able to obtain or manage enough IP addresses to do this using IP virtual hosting as in #55.)

[presbrey]

Without separate IPs, only browsers supporting SNI can ever benefit from this per-vhost certificates. To address this issue, as in #55, I think this fix should also include support for supporting per-vhost IPs even if only some people get them. For example, SIPB services running on scripts.

[adehnert]

This is currently handled using reified vhosts, right?

[andersk]

Yes. This ticket about handling it in mod_vhost_ldap instead so we don’t need to reify vhosts (and so that eventually we’ll be able to automate much more of the process).

[andersk]

Here are some of the Apache hooks we’ll need:

​https://github.com/andersk/httpd/commits/vhost-hooks

[andersk]

And my mod_vhost_ldap implementation of that hook seems to be working:

​​https://github.com/andersk/mod-vhost-ldap/commits/vhost-hooks

Now we just need the the inline string syntax for SSLCertificateFile that achernya and davidben are working on.