ACME: allow "acme_certificate server_name ...".

bavshin-f5 · bavshin-f5 · commit ea6a17f58e33 · 2025-07-17T11:31:12.000-07:00
The parameter allows fetching the list of identifiers from the
server_name directive in the same server block.
diff --git a/README.md b/README.md
@@ -159,7 +159,7 @@ challenge data for all the configured certificate issuers.
 
 ### `acme_certificate`
 
-Syntax: `acme_certificate issuer=_issuer_name_ [key=alg[:size]|file] [identifiers...];`\
+Syntax: `acme_certificate issuer=_issuer_name_ [key=alg[:size]|file] [server_name] [identifiers...];`\
 Context: `server`
 
 Defines a certificate with the list of _identifiers_ requested from issuer
@@ -169,6 +169,11 @@ The `key` parameter sets the type of generated private key or a path to an
 existing file. Supported key algorithms and sizes:
 `ecdsa:256` (default), `ecdsa:384`, `ecdsa:521`, `rsa:2048`..`rsa:4096`.
 
+The `server_name` parameter allows taking the list of identifiers from the
+`server_name` directive in the same server block instead of specifying names
+explicitly. Not all the values accepted by `server_name` are valid certificate
+identifiers: regular expressions and wildcards are not supported.
+
 Since 1.27.2, the `key` parameter supports the additional schemes implemented
 in the [`ssl_certificate_key`] directive: `data:`, `engine:` and more recently
 `store:`, with a caveat that password-protected keys are not supported.
diff --git a/src/conf.rs b/src/conf.rs
@@ -39,6 +39,8 @@ pub struct AcmeServerConfig {
     // A single sertificate per server is supported for now.
     // With multiple certs we will have to implement certificate selection.
     pub order: Option<CertificateOrder<ngx_str_t, Pool>>,
+    /// Read identifiers set by "server_name" in the server block.
+    pub server_name: bool,
 }
 
 pub static mut NGX_HTTP_ACME_COMMANDS: [ngx_command_t; 4] = [
@@ -277,12 +279,17 @@ extern "C" fn cmd_add_certificate(
             continue;
         }
 
+        if value.as_bytes() == b"server_name" {
+            ascf.server_name = true;
+            continue;
+        }
+
         if let Err(err) = order.try_add_identifier(value) {
             return cf.error(&args[0], err);
         }
     }
 
-    if order.identifiers.is_empty() {
+    if order.identifiers.is_empty() && !ascf.server_name {
         return c"no identifiers".as_ptr().cast_mut();
     }
 
@@ -443,6 +450,25 @@ impl AcmeMainConfig {
                 continue;
             };
 
+            // At this point, the server names list should be fully initialized.
+            if ascf.server_name {
+                let server_names = unsafe { cscfp.server_names.as_slice() };
+
+                if let Err(err) = order.add_server_names(cf, server_names) {
+                    ngx_log_error!(NGX_LOG_EMERG, cf.log, "\"acme_certificate\": {err}");
+                    return Err(Status::NGX_ERROR);
+                }
+
+                if order.identifiers.is_empty() {
+                    ngx_log_error!(
+                        NGX_LOG_EMERG,
+                        cf.log,
+                        "\"acme_certificate\": no identifiers found in \"server_name\""
+                    );
+                    return Err(Status::NGX_ERROR);
+                }
+            }
+
             if let Some(issuer) = self.issuer_mut(&ascf.issuer) {
                 issuer.add_certificate_order(cf, order)?;
             } else {
diff --git a/src/conf/order.rs b/src/conf/order.rs
@@ -3,10 +3,11 @@ use core::hash::{self, Hash, Hasher};
 use core::net::IpAddr;
 use core::str::Utf8Error;
 
-use nginx_sys::ngx_str_t;
+use nginx_sys::{ngx_conf_t, ngx_http_server_name_t, ngx_str_t};
 use ngx::allocator::{AllocError, Allocator, TryCloneIn};
 use ngx::collections::Vec;
 use ngx::core::{NgxString, Pool, Status};
+use ngx::ngx_log_error;
 use siphasher::sip::SipHasher;
 use thiserror::Error;
 
@@ -161,6 +162,34 @@ impl CertificateOrder<ngx_str_t, Pool> {
         Ok(())
     }
 
+    pub fn add_server_names(
+        &mut self,
+        cf: &mut ngx_conf_t,
+        server_names: &[ngx_http_server_name_t],
+    ) -> Result<(), IdentifierError> {
+        for server_name in server_names {
+            if !server_name.regex.is_null() {
+                ngx_log_error!(
+                    nginx_sys::NGX_LOG_WARN,
+                    cf.log,
+                    "\"acme_certificate\": unsupported regular expression in server_name: {}",
+                    server_name.name
+                );
+                continue;
+            }
+
+            // A valid server_name entry that we want to ignore.
+            // We'll fail properly later if that's the only entry.
+            if server_name.name.is_empty() {
+                continue;
+            }
+
+            self.try_add_identifier(&server_name.name)?;
+        }
+
+        Ok(())
+    }
+
     pub fn try_add_identifier(&mut self, value: &ngx_str_t) -> Result<(), IdentifierError> {
         if value.is_empty() {
             return Err(IdentifierError::Empty);
