SNI: ssl_error_bad_cert_domain on https://<IP>

173279834462 nginx-forum at
Sat Feb 28 17:51:14 UTC 2015


nginx version: nginx/1.7.10
TLS SNI support enabled
Serving vhosts
each vhost has own registered certificate
each vhost works as expected 


Obtain 444  from [http|https]://<IP-ADDRESS>. 

case http://<IP-ADDRESS> 


    server {
       listen 80; 
       server_name _; 
       root /dev/null;
       return 444;

It returns 444, and we are happy about it.

case https://<IP-ADDRESS> 

No additional configuration. 

It returns the following: 

< <IP-ADDRESS> uses an invalid security certificate.
< The certificate is only valid for the following names:
< (Error code: ssl_error_bad_cert_domain)

where "" is a random? host from our pool of vhosts, and 
its registered certificate is served for the IP-ADDRESS by nginx's SNI. 
Indeed, this is the problem at hand. 

The following does not help at all, 

server {
   #listen 80;
   listen 443 ssl;
   ssl_certificate_key /etc/ssl/<IP-ADDRESS>/www.key;
   ssl_certificate         /etc/ssl/<IP-ADDRESS>/www.pem;
   server_name _;
   root /dev/null;
   return 444;

For the sake of proper administration, www.key/pem is a self-signed
certificate with included e-mail "hostmaster@<IP-ADDRESS>", and 
an e-mail address has been created on purpose. 

Can you replicate this problem? 
Are there any known solutions?

Thank you for your time.

Posted at Nginx Forum:,256957,256957#msg-256957

More information about the nginx mailing list