Opened 13 years ago

Last modified 21 months ago

#52 new enhancement

support per-vhost certs in mod_vhost_ldap

Reported by: quentin Owned by:
Priority: minor Milestone:
Component: web Keywords:

Description (last modified by adehnert)

Per 569297, we should support per-vhost certificates by adding code to mod_vhost_ldap

[ Note that the status quo is that per-vhost certs are stored in LDAP, and then exported to disk by /etc/httpd/export-scripts-certs. The goal is to remove that "export to disk" stage. ]

Change History (11)

comment:1 Changed 13 years ago by price

I requested an OID from jis, which will enable us to extend the LDAP schema as necessary.

(The mail was cc'd to s-m-r.)

comment:2 Changed 13 years ago by andersk

Also 645078.

comment:3 Changed 13 years ago by presbrey

Depends: #55.

comment:4 Changed 13 years ago by andersk

#55 is unrelated. (This ticket is about supporting certificates for Joe Random Scripts User's vhost, Barring a minor miracle, we’re never going to be able to obtain or manage enough IP addresses to do this using IP virtual hosting as in #55.)

comment:5 Changed 13 years ago by presbrey

Without separate IPs, only browsers supporting SNI can ever benefit from this per-vhost certificates. To address this issue, as in #55, I think this fix should also include support for supporting per-vhost IPs even if only some people get them. For example, SIPB services running on scripts.

comment:6 Changed 11 years ago by adehnert

This is currently handled using reified vhosts, right?

comment:7 Changed 11 years ago by andersk

Yes. This ticket about handling it in mod_vhost_ldap instead so we don’t need to reify vhosts (and so that eventually we’ll be able to automate much more of the process).

comment:8 Changed 10 years ago by ezyang

  • Type changed from defect to enhancement

comment:9 Changed 5 years ago by andersk

Here are some of the Apache hooks we’ll need:

comment:10 Changed 5 years ago by andersk

And my mod_vhost_ldap implementation of that hook seems to be working:

Now we just need the the inline string syntax for SSLCertificateFile that achernya and davidben are working on.

comment:11 Changed 21 months ago by adehnert

  • Description modified (diff)
Note: See TracTickets for help on using tickets.