SSL_ERROR_BAD_CERT_DOMAIN with multiple domains

BeyondEvil nginx-forum at forum.nginx.org
Sat Jul 6 11:59:10 UTC 2019 

Hi Francis!

Thank you so much for your answer! I really appreciate it!

And I apologize for taking this long to reply.

> As I understand things:
> 
> * you need one nginx listening on port 80 for http and 443 for https
> * you want to handle two server names (differently)

Well, sort of. I have to Servers, and both are running nginx. Which I think
is the key to this problem.

Server A (macmini) has an nginx server under my direct control.
Server B (the synology NAS) has an nginx server NOT under my direct
control.

> I am not clear on whether you want to "redirect" or "proxy_pass" to
> the service on the other ports -- "redirect" would involve the client
> issuing a new request to https://something:5001; while "proxy_pass"
> would involve the client continuing to request https://something, and
> nginx ensuring that the response from :5001 gets to the client.

I thought what I wanted was to "proxy_pass", but what I needed to do was to
"redirect".
Sadly, that doesn't work - and I _think_ I might understand why.

I have two domains - one related to Server A and one related to Server B.

Server A domain is certified using Let's Encrypt (LE) and I own that
domain.
Server B domain is also certified using LE, but I DON'T own that domain -
Synology does. It's part of their "internal" DDNS system to help users
expose their NAS reliably to the internet.

And herein lies the problem as it seems, from what I can gather HTTPS is
terminated and checked/validated in Server A and fails for requests to
Server B domain, since the certificates in Server A are not the correct ones
for Server B domain - only for Server A domain.  So the redirect works - but
you get the "not valid ceritficates" warning(s) in the browser. :(

> two server{} blocks with different server_name directives, and SNI
> enabled
> in your nginx, and the correct ssl_certificate available in each
> server{}.

So that's ^^ is basically the problem and why it fails. The certificates
can't be in that server block, because they reside in the server block in
the nginx running on Server B.

> Good luck with it,

Thanks again! :)

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,284630,284764#msg-284764

More information about the nginx mailing list