On Mon, Nov 16, 2020 at 08:44:58PM -0300, Joao Morais wrote:
>
> Hello list, I have a `crt-list` keyword configuring a list of
> crt/keys, something like this:
>
> /tmp/default.pem
> /tmp/a.pem a.local
> /tmp/b.pem b.local
>
> We consider the first line the fallback certificate - that one that
> should be used if everything else fails.
>
> We've however one situation where default.pem is valid for a.local,
> and since default.pem is the first crt due to its fallback status,
> default.pem is used in the handshake instead of a.pem.
>
> Is there a way to configure a certificate to just act as a fallback
> crt? Any other advice here?
>
Unfortunately no, there is no way of configuring a default certificate,
it's always the first certificate declared on a bind line.
In practice the certificate is inserted in 2 places, the default_ctx and
the SNI tree. The default_ctx does not use the filters so it will be
always used as a fallback, however you can still sets a filter on this
line so it rewrites its entries in the SNI tree without affecting the
fallback.
/tmp/default.pem !a.local
should work on the first line.
Ideally we need a "crt-fallback" keyword which insert the crt in the
default_ctx without inserting it in the SNI tree.
--
William Lallemand
