On Tue, Nov 17, 2020 at 09:09:38AM +0100, William Lallemand wrote: > On Mon, Nov 16, 2020 at 08:44:58PM -0300, Joao Morais wrote: > > > > Hello list, I have a `crt-list` keyword configuring a list of > > crt/keys, something like this: > > > > /tmp/default.pem > > /tmp/a.pem a.local > > /tmp/b.pem b.local > > > > We consider the first line the fallback certificate - that one that > > should be used if everything else fails. > > > > We've however one situation where default.pem is valid for a.local, > > and since default.pem is the first crt due to its fallback status, > > default.pem is used in the handshake instead of a.pem. > > > > Is there a way to configure a certificate to just act as a fallback > > crt? Any other advice here? > > > > Unfortunately no, there is no way of configuring a default certificate, > it's always the first certificate declared on a bind line. > > In practice the certificate is inserted in 2 places, the default_ctx and > the SNI tree. The default_ctx does not use the filters so it will be > always used as a fallback, however you can still sets a filter on this > line so it rewrites its entries in the SNI tree without affecting the > fallback. > > /tmp/default.pem !a.local > > should work on the first line. > > Ideally we need a "crt-fallback" keyword which insert the crt in the > default_ctx without inserting it in the SNI tree. >
You could also do /tmp/default.pem !* That will ignore the creation of the SNI entries. -- William Lallemand
