ACME: allow empty list of identifiers in "acme_certificate".

bavshin-f5 · bavshin-f5 · commit 1f9da84669fa · 2025-07-23T16:25:56.000-07:00
The empty list is interpreted as an instruction to fetch the identifiers
from the server_name directive in the same server block.
diff --git a/README.md b/README.md
@@ -64,7 +64,7 @@ server {
     listen 443 ssl;
     server_name  .example.test;
 
-    acme_certificate example .example.test;
+    acme_certificate example;
 
     ssl_certificate       $acme_certificate;
     ssl_certificate_key   $acme_certificate_key;
@@ -218,14 +218,22 @@ challenge data for all the configured certificate issuers.
 
 ### acme_certificate
 
-**Syntax:** acme_certificate `issuer` `identifier` ... [ `key` = `alg[:size]` | `file` ]
+**Syntax:** acme_certificate `issuer` [`identifier` ...] [ `key` = `alg[:size]` | `file` ]
 
 **Default:** -
 
 **Context:** server
 
 Defines a certificate with the list of `identifier`s requested from
 issuer `issuer`.
+
+The explicit list of identifiers can be omitted. In this case the identifiers
+will be taken from the [server_name] directive in the same `server` block.
+Not all the values accepted by [server_name] are valid certificate identifiers:
+regular expressions and wildcards are not supported.
+
+[server_name]: https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name
+
 The `key` parameter sets the type of generated private key or a
 path to an existing file. Supported key algorithms and sizes:
 `ecdsa:256` (default), `ecdsa:384`,
diff --git a/src/conf.rs b/src/conf.rs
@@ -3,7 +3,7 @@ use core::{mem, ptr};
 
 use nginx_sys::{
     ngx_command_t, ngx_conf_parse, ngx_conf_t, ngx_http_core_srv_conf_t, ngx_str_t, ngx_uint_t,
-    NGX_CONF_2MORE, NGX_CONF_BLOCK, NGX_CONF_FLAG, NGX_CONF_TAKE1, NGX_HTTP_MAIN_CONF,
+    NGX_CONF_1MORE, NGX_CONF_BLOCK, NGX_CONF_FLAG, NGX_CONF_TAKE1, NGX_HTTP_MAIN_CONF,
     NGX_HTTP_MAIN_CONF_OFFSET, NGX_HTTP_SRV_CONF, NGX_HTTP_SRV_CONF_OFFSET, NGX_LOG_EMERG,
 };
 use ngx::collections::Vec;
@@ -62,7 +62,7 @@ pub static mut NGX_HTTP_ACME_COMMANDS: [ngx_command_t; 4] = [
     },
     ngx_command_t {
         name: ngx_string!("acme_certificate"),
-        type_: (NGX_HTTP_SRV_CONF | NGX_CONF_2MORE) as ngx_uint_t,
+        type_: (NGX_HTTP_SRV_CONF | NGX_CONF_1MORE) as ngx_uint_t,
         set: Some(cmd_add_certificate),
         conf: NGX_HTTP_SRV_CONF_OFFSET,
         offset: 0,
@@ -295,9 +295,8 @@ extern "C" fn cmd_add_certificate(
         }
     }
 
-    if order.identifiers.is_empty() {
-        return c"no identifiers".as_ptr().cast_mut();
-    }
+    // If we haven't found any identifiers in the arguments, we will populate the list from the
+    // `server_name` values later, when the server names list is fully initialized.
 
     ascf.order = Some(order);
 
@@ -448,6 +447,26 @@ impl AcmeMainConfig {
                 continue;
             };
 
+            // An empty list of identifers should be filled from the `server_name` directive values.
+            // At this point, the server names list should be fully initialized.
+            if order.identifiers.is_empty() {
+                let server_names = unsafe { cscfp.server_names.as_slice() };
+
+                if let Err(err) = order.add_server_names(cf, server_names) {
+                    ngx_log_error!(NGX_LOG_EMERG, cf.log, "\"acme_certificate\": {err}");
+                    return Err(Status::NGX_ERROR);
+                }
+
+                if order.identifiers.is_empty() {
+                    ngx_log_error!(
+                        NGX_LOG_EMERG,
+                        cf.log,
+                        "\"acme_certificate\": no identifiers found in \"server_name\""
+                    );
+                    return Err(Status::NGX_ERROR);
+                }
+            }
+
             if let Some(issuer) = self.issuer_mut(&ascf.issuer) {
                 issuer.add_certificate_order(cf, order)?;
             } else {
diff --git a/src/conf/order.rs b/src/conf/order.rs
@@ -3,10 +3,11 @@ use core::hash::{self, Hash, Hasher};
 use core::net::IpAddr;
 use core::str::Utf8Error;
 
-use nginx_sys::ngx_str_t;
+use nginx_sys::{ngx_conf_t, ngx_http_server_name_t, ngx_str_t};
 use ngx::allocator::{AllocError, Allocator, TryCloneIn};
 use ngx::collections::Vec;
 use ngx::core::{NgxString, Pool, Status};
+use ngx::ngx_log_error;
 use siphasher::sip::SipHasher;
 use thiserror::Error;
 
@@ -146,6 +147,34 @@ impl CertificateOrder<ngx_str_t, Pool> {
         Ok(())
     }
 
+    pub fn add_server_names(
+        &mut self,
+        cf: &mut ngx_conf_t,
+        server_names: &[ngx_http_server_name_t],
+    ) -> Result<(), IdentifierError> {
+        for server_name in server_names {
+            if !server_name.regex.is_null() {
+                ngx_log_error!(
+                    nginx_sys::NGX_LOG_WARN,
+                    cf.log,
+                    "\"acme_certificate\": unsupported regular expression in server_name: {}",
+                    server_name.name
+                );
+                continue;
+            }
+
+            // A valid server_name entry that we want to ignore.
+            // We'll fail properly later if that's the only entry.
+            if server_name.name.is_empty() {
+                continue;
+            }
+
+            self.try_add_identifier(&server_name.name)?;
+        }
+
+        Ok(())
+    }
+
     pub fn try_add_identifier(&mut self, value: &ngx_str_t) -> Result<(), IdentifierError> {
         if value.is_empty() {
             return Err(IdentifierError::Empty);
