SSL_ERROR_BAD_CERT_DOMAIN with multiple domains
Francis Daly
francis at daoine.org
Wed Jun 26 08:26:07 UTC 2019
On Sat, Jun 22, 2019 at 04:01:40PM -0400, BeyondEvil wrote:
Hi there,
I don't have an answer for you, but I do have some comments that may
make it easier for someone else to have an answer.
> So I need to add two new server blocks in my config so that:
> If I visit "http://domain.synology.me" (port 80) that redirects me to
> "http://domain.synology.me:5000"
> and
> If I visit "https://domain.synology.me" (port 443) that redirects me to
> "https://domain.synology.me:5001"
As I understand things:
* you need one nginx listening on port 80 for http and 443 for https
* you want to handle two server names (differently)
I am not clear on whether you want to "redirect" or "proxy_pass" to
the service on the other ports -- "redirect" would involve the client
issuing a new request to https://something:5001; while "proxy_pass"
would involve the client continuing to request https://something, and
nginx ensuring that the response from :5001 gets to the client.
Anyway...
The http side should be straightforward. Two server{} blocks with
different server_name directives, and "proxy_pass" or "return/rewrite"
as appropriate. Does that work for you? If not, what fails? (As in:
what request do you make / what response do you get / what response do
you want instead / what do the logs say.)
The https side may be a little more awkward -- you want to run
two https services on the same ip:port. The main notes are at
http://nginx.org/en/docs/http/configuring_https_servers.html. Basically --
two server{} blocks with different server_name directives, and SNI enabled
in your nginx, and the correct ssl_certificate available in each server{}.
> I've managed to get part of the way. But I'm getting SSL errors like for
> instance: "SSL_read() failed (SSL: error:14094412:SSL
> routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42)
> while waiting for request, client: 192.168.13.1, server: 0.0.0.0:443"
What request do you make when that error appears? Are you trying to talk
to server_name#1 or server_name#2?
> Here's my current config:
> https://gist.github.com/BeyondEvil/e246d1725438989815272ac96fd1a767
For future-proofing reasons, it is better for this list if you include
the relevant config in the mail directly.
But the content on that link today seems to include one "server" with
"listen 443 ssl" and no "ssl_certificate". Untested by me, but I can
imagine that leading to some confusion.
Good luck with it,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list