SSL_ERROR_BAD_CERT_DOMAIN with multiple domains

Francis Daly francis at daoine.org
Wed Jul 10 22:25:25 UTC 2019


On Sat, Jul 06, 2019 at 07:59:10AM -0400, BeyondEvil wrote:

Hi there,

> Server A (macmini) has an nginx server under my direct control.
> Server B (the synology NAS) has an nginx server NOT under my direct
> control.

...and you have exactly 1 public IP address, and you would like to be
able to access the content on both of them.

If you are happy to test things, I have two suggestions which might work
for you.

The first is a "proxy_pass" where your users will never talk directly
to server B, and will never use the server B domain name.

Depending on what server B requires, this may not work.

But if it does -- you get a new hostname, "nas.domainA", for example,
and get a certificate for it.

Then do the normal nginx two-ssl-servers thing with SNI, and the one with
"server_name nas.domainA" does "proxy_pass https://server-B".


The second involves using "stream" instead of "http" on the public-facing
ip:port.

In that case, you use stream with ssl preread, documented at
http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

If the SNI name relates to the NAS, you proxy_pass to that IP:port;
else you proxy_pass to the IP:port that your nginx https listener is on
(possibly 127.0.0.1:443, if you have the stream listener on the same
machine).

> And herein lies the problem as it seems, from what I can gather HTTPS is
> terminated and checked/validated in Server A and fails for requests to
> Server B domain, since the certificates in Server A are not the correct ones
> for Server B domain - only for Server A domain.

In the first new case above, https is terminated on "your" nginx server,
either with the www.domainA cert or the nas.domainA cert, so the client
is happy.

In the second new case above, https is terminated either on your server
with the www.domainA cert, or on the other server with the domainB cert;
so the client is still happy.

Maybe one of those will suit you.

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list