Nginx not loading different certs on two hosts

Nikolaos Milas nmilas at noa.gr
Wed Dec 9 21:34:38 UTC 2020 

Hello,

On a Centos 7 with nginx-1.18.0 I have configured two vhosts, as follows:

First one:

server {

     listen [::]:80 ipv6only=off;

     listen    443 ssl http2 default deferred;
     listen    [::]:443 ssl http2 default deferred;

     server_name  site1.world.example.com;

     ssl_certificate     /etc/pki/tls/certs/star_world.crt;
     ssl_certificate_key /etc/pki/tls/private/star_world.key;

     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers 
'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED';
     ssl_prefer_server_ciphers on;

     ssl_session_cache shared:SSL:50m;
     ssl_session_timeout  1d;
     ssl_session_tickets off;

     ssl_dhparam /etc/pki/tls/certs/dhparam.pem;
     ...

and the second:

server {
     listen [::]:80;
     listen [::]:443 ssl;
     server_name  site2.local.world.example.com;

     ssl_certificate     /etc/pki/tls/certs/star_local_world.cer;
     ssl_certificate_key /etc/pki/tls/private/star_local_world.key;

     ssl_protocols TLSv1.1 TLSv1.2;
     ssl_ciphers 
'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED';
     ssl_prefer_server_ciphers on;

     ssl_session_cache shared:SSL:50m;
     ssl_session_timeout  1d;
     ssl_session_tickets off;

     ssl_dhparam /etc/pki/tls/certs/dhparam.pem;
     ...

However, while the first one works correctly, the second one is clearly 
using the SSL certs of the first vhost (and thus it produces a Risk 
warning due to mismatch between name-cert) and not the ones configured 
in its own config (the second).

(I confirmed that SNI support is enabled.)

What am I doing wrong? (Obviously I am a very basic nginx user.)

How shall I make the second vhost load/use its own ssl configuration 
correctly?

Finally, what is the best way to successfully listen (i.e. the suggested 
way to configure the "listen" directives) to 80 and 443 ports on both 
IPv4 and IPv6 on all hosts (each and every one of them)?

Thanks in advance!

Cheers,
Nick

More information about the nginx mailing list