With respect to SSLStrictSNIVHostCheck directive:
Perhaps using "on" was a bad choice, "disabled" would be clearer.
indeed and this would be closer to usual settings. Good point.
The idea was not to emit the line to the config unless "off" is set. In reality this may not even be required as I think the default if there is no line is off.
To get anything to emit to the config you need to do.
config setprop httpd-e-smith SSLStrictSNIVHostCheck off
Without the above no line will be added at all exactly like the config before this mod. I agree it may better to have this emitted by default but I was trying to engineer things so current functionality was retained as the default.
Yes, I understand that you did a lot of work around ther, so I am just trying to give a bit of help to improve this and make it more standard with current templates.
With respect to the VirtualHost Certificates:
In reality you can only have one CRT per VirtualHost, irrespective of how many domains it is serving. If you do not specify any CRT for a VirtualHost the main certificate will be picked up, so there is no need to hard wire the main cert when there is no third party cert. If main cert covers multiple domains as in LetsEncrypt you should be ok. I think you should be able to mix and match my mod with LetsEncrypt simply by not setting the db variables.
Further, with this mod you could use a third party certificate such as an EV cert for a VirtualHost that serves multiple domains but you would need either a wildcard (if all domains were a sub) or a Cert that would cover multiple domains. I would suspect this would work OK but have not tested it.
The bottom line is in my design if you do not set any of the DB variables the config is not changed from the current config. It is only changed if you set the variables even if the template fragments are in place. Even if you set the variables for one ibay the others will remain the same and use the standard certificate.
with my suggestion nothing changes from previous behaviour, the only thing is that the certificate is being placed one more time in each virtualhost with the second proposition unless something is set for this domain. Anyway the global certificate is declared for the whole service at the beginning of httpd.conf.
The big point there is rather not to use ibays in accounts db but rather domains db because Virtualhost are not expand against ibays but against domains. See the code of /etc/e-smith/templates/etc/httpd/conf/httpd.conf/80VirtualHosts (calling content of /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts) and /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/00Setup . Using ibays you might end up with your certificate for domain.com added to virtualhost for domain.fr if it points also to the same ibay and get a certificate error unless it was issued for domain.com and domain.fr. Because, yes you can have 2 virtualhosts pointing to the same content, but they will need different certificates.
I must admit, I do not fully understand the LetsEncrypt details and still have to look into that in more detail but for now I think I have a simple clean workable solution for my needs.
clear and simple : you declare the domains (as per in db domains) and hosts ( as per in db hosts) for which you want a certificate, and letsencrypt get you a global certificate for all those domains. It also renew the certificate every 3 months without you to worry.