cert handling on redirect of https subdomains

Igor Sysoev is at rambler-co.ru
Thu Sep 11 12:08:00 MSD 2008 

On Thu, Sep 11, 2008 at 07:56:56AM +0000, Martian Alien wrote:

> 
> > Is api.example.com the same IP address as www.example.com ?
> 
> Yes, we are attempting to setup three virtual domains on the same machine, each with different SSL certificates.  The primary domain (www.example.com:443 default) works fine, as does the base domain (example.com:443).  But adding more virtual subdomains will return the wrong SSL cert.

You need at least three different IP addresses on the host:

http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47

Otherwise you need wildcard certificate or certificate with alternative names.

> ----------------------------------------
> > Date: Wed, 10 Sep 2008 08:42:41 +0400
> > From: is at rambler-co.ru
> > To: nginx at sysoev.ru
> > Subject: Re: cert handling on redirect of https subdomains
> > 
> > On Wed, Sep 10, 2008 at 03:59:31AM +0000, Martian Alien wrote:
> > 
> >> Note that the base domain (example.com) redirects fine to WWW (www.example.com).  Then adding a 2nd subdomain, API (api.example.com), returns the WWW certificate rather than the API one and flags a trust concern in most browsers.  Tried a listen field with both api.example.com:443 and the local interface 127.0.0.1:443, all fail in the same way.  Redirect works fine except it returns the incorrect SSL certiicate.
> >> 
> >>   server {
> >>     listen api.example.com:443;
> >>     server_name  api.example.com api;
> >> 
> >>     ssl on;
> >>     ssl_certificate /opt/local/nginx/certs/api.example.com.crt; 
> >>     ssl_certificate_key /opt/local/nginx/certs/api.example.com.key; 
> >> 
> >>     rewrite ^/(.*) https://www.example.com/$1 permanent;
> >>   }
> >> 
> >>   server {
> >>     listen api.example.com:80;
> >>     server_name  api.example.com api;
> >>     rewrite ^/(.*) http://www.example.com/$1 permanent;
> >>   }
> >> 
> >> Thanks again for looking into this concern,
> > 
> > Is api.example.com the same IP address as www.example.com ?
> > 
> >>> Date: Tue, 9 Sep 2008 10:22:15 +0400
> >>> From: is at rambler-co.ru
> >>> To: nginx at sysoev.ru
> >>> Subject: Re: cert handling on redirect of https subdomains
> >>> 
> >>> On Tue, Sep 09, 2008 at 05:51:04AM +0000, Martian Alien wrote:
> >>> 
> >>>> Hi Nginx Group,
> >>>> 
> >>>> Just wanted to start off by saying nginx is a rad web server!  Na zdrowie!
> >>>> 
> >>>> So we've noticed some issues with setting up https ssl certificates over multiple subdomains.
> >>>> 
> >>>> The base domain (example.com) and the first subdomain (www.example.com) work beautifully:
> >>>> 
> >>>>   server {
> >>>>     listen www.example.com:443 default;
> >>>>     server_name www.example.com;
> >>>> 
> >>>>     ssl on;
> >>>>     ssl_certificate /opt/local/nginx/certs/www.example.com.crt; 
> >>>>     ssl_certificate_key /opt/local/nginx/certs/www.example.com.key; 
> >>>> 
> >>>>     location / {
> >>>>       # ...
> >>>>     }
> >>>>   }
> >>>> 
> >>>>   server {
> >>>> 
> >>>>     listen www.example.com:80 default;
> >>>> 
> >>>>     server_name www.example.com;
> >>>>     location / {
> >>>> 
> >>>>       # ...
> >>>> 
> >>>>     }
> >>>> 
> >>>>   }
> >>>> 
> >>>> 
> >>>>   server {
> >>>>     listen example.com:443;
> >>>>     server_name  example.com;
> >>>> 
> >>>>     ssl on;
> >>>>     ssl_certificate /opt/local/nginx/certs/example.com.crt; 
> >>>>     ssl_certificate_key /opt/local/nginx/certs/example.com.key; 
> >>>> 
> >>>>     rewrite ^/(.*) https://www.example.com/$1 permanent;
> >>>>   }
> >>>> 
> >>>>   server {
> >>>>     server_name  example.com;
> >>>>     rewrite ^/(.*) http://www.example.com/$1 permanent;
> >>>>   }
> >>>> 
> >>>> NOW, If the following is added, the correct SSL cert for api.example.com is not loaded before the redirect, the www.example.com cert is loaded instead:
> >>>> 
> >>>>   server {
> >>>>     listen 127.0.0.1:443;
> >>>>     server_name  api.example.com api;
> >>>> 
> >>>>     ssl on;
> >>>>     ssl_certificate /opt/local/nginx/certs/api.example.com.crt; 
> >>>>     ssl_certificate_key /opt/local/nginx/certs/api.example.com.key; 
> >>>> 
> >>>>     rewrite ^/(.*) https://www.example.com/$1 permanent;
> >>>>   }
> >>>> 
> >>>>   server {
> >>>>     listen 127.0.0.1:80;
> >>>>     server_name  api.example.com api;
> >>>>     rewrite ^/(.*) http://www.example.com/$1 permanent;
> >>>>   }
> >>>> 
> >>>> 
> >>>> Any ideas on how,  to setup multiple SSL / HTTPS subdomains, each with their own cert in nginx?
> >>>> 
> >>>> I've tried many conf variants.  At this point, I'm suspecting it is a bug in nginx, but how would that be possible. =)
> >>> 
> >>> 127.0.0.1 is loopback interface, do you connect to it from outside ?
> >>> 
> >>> 
> >>> -- 
> >>> Igor Sysoev
> >>> http://sysoev.ru/en/
> >>> 
> >> 
> >> _________________________________________________________________
> >> See how Windows Mobile brings your life together?at home, work, or on the go.
> >> http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/
> > 
> > -- 
> > Igor Sysoev
> > http://sysoev.ru/en/
> > 
> 
> _________________________________________________________________
> Get more out of the Web. Learn 10 hidden secrets of Windows Live.
> http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008

-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list