cert handling on redirect of https subdomains

Martian Alien ufospy at hotmail.com
Thu Sep 11 11:56:56 MSD 2008 

> Is api.example.com the same IP address as www.example.com ?

Yes, we are attempting to setup three virtual domains on the same machine, each with different SSL certificates.  The primary domain (www.example.com:443 default) works fine, as does the base domain (example.com:443).  But adding more virtual subdomains will return the wrong SSL cert.

Martian


----------------------------------------
> Date: Wed, 10 Sep 2008 08:42:41 +0400
> From: is at rambler-co.ru
> To: nginx at sysoev.ru
> Subject: Re: cert handling on redirect of https subdomains
> 
> On Wed, Sep 10, 2008 at 03:59:31AM +0000, Martian Alien wrote:
> 
>> Note that the base domain (example.com) redirects fine to WWW (www.example.com).  Then adding a 2nd subdomain, API (api.example.com), returns the WWW certificate rather than the API one and flags a trust concern in most browsers.  Tried a listen field with both api.example.com:443 and the local interface 127.0.0.1:443, all fail in the same way.  Redirect works fine except it returns the incorrect SSL certiicate.
>> 
>>   server {
>>     listen api.example.com:443;
>>     server_name  api.example.com api;
>> 
>>     ssl on;
>>     ssl_certificate /opt/local/nginx/certs/api.example.com.crt; 
>>     ssl_certificate_key /opt/local/nginx/certs/api.example.com.key; 
>> 
>>     rewrite ^/(.*) https://www.example.com/$1 permanent;
>>   }
>> 
>>   server {
>>     listen api.example.com:80;
>>     server_name  api.example.com api;
>>     rewrite ^/(.*) http://www.example.com/$1 permanent;
>>   }
>> 
>> Thanks again for looking into this concern,
> 
> Is api.example.com the same IP address as www.example.com ?
> 
>>> Date: Tue, 9 Sep 2008 10:22:15 +0400
>>> From: is at rambler-co.ru
>>> To: nginx at sysoev.ru
>>> Subject: Re: cert handling on redirect of https subdomains
>>> 
>>> On Tue, Sep 09, 2008 at 05:51:04AM +0000, Martian Alien wrote:
>>> 
>>>> Hi Nginx Group,
>>>> 
>>>> Just wanted to start off by saying nginx is a rad web server!  Na zdrowie!
>>>> 
>>>> So we've noticed some issues with setting up https ssl certificates over multiple subdomains.
>>>> 
>>>> The base domain (example.com) and the first subdomain (www.example.com) work beautifully:
>>>> 
>>>>   server {
>>>>     listen www.example.com:443 default;
>>>>     server_name www.example.com;
>>>> 
>>>>     ssl on;
>>>>     ssl_certificate /opt/local/nginx/certs/www.example.com.crt; 
>>>>     ssl_certificate_key /opt/local/nginx/certs/www.example.com.key; 
>>>> 
>>>>     location / {
>>>>       # ...
>>>>     }
>>>>   }
>>>> 
>>>>   server {
>>>> 
>>>>     listen www.example.com:80 default;
>>>> 
>>>>     server_name www.example.com;
>>>>     location / {
>>>> 
>>>>       # ...
>>>> 
>>>>     }
>>>> 
>>>>   }
>>>> 
>>>> 
>>>>   server {
>>>>     listen example.com:443;
>>>>     server_name  example.com;
>>>> 
>>>>     ssl on;
>>>>     ssl_certificate /opt/local/nginx/certs/example.com.crt; 
>>>>     ssl_certificate_key /opt/local/nginx/certs/example.com.key; 
>>>> 
>>>>     rewrite ^/(.*) https://www.example.com/$1 permanent;
>>>>   }
>>>> 
>>>>   server {
>>>>     server_name  example.com;
>>>>     rewrite ^/(.*) http://www.example.com/$1 permanent;
>>>>   }
>>>> 
>>>> NOW, If the following is added, the correct SSL cert for api.example.com is not loaded before the redirect, the www.example.com cert is loaded instead:
>>>> 
>>>>   server {
>>>>     listen 127.0.0.1:443;
>>>>     server_name  api.example.com api;
>>>> 
>>>>     ssl on;
>>>>     ssl_certificate /opt/local/nginx/certs/api.example.com.crt; 
>>>>     ssl_certificate_key /opt/local/nginx/certs/api.example.com.key; 
>>>> 
>>>>     rewrite ^/(.*) https://www.example.com/$1 permanent;
>>>>   }
>>>> 
>>>>   server {
>>>>     listen 127.0.0.1:80;
>>>>     server_name  api.example.com api;
>>>>     rewrite ^/(.*) http://www.example.com/$1 permanent;
>>>>   }
>>>> 
>>>> 
>>>> Any ideas on how,  to setup multiple SSL / HTTPS subdomains, each with their own cert in nginx?
>>>> 
>>>> I've tried many conf variants.  At this point, I'm suspecting it is a bug in nginx, but how would that be possible. =)
>>> 
>>> 127.0.0.1 is loopback interface, do you connect to it from outside ?
>>> 
>>> 
>>> -- 
>>> Igor Sysoev
>>> http://sysoev.ru/en/
>>> 
>> 
>> _________________________________________________________________
>> See how Windows Mobile brings your life together?at home, work, or on the go.
>> http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/
> 
> -- 
> Igor Sysoev
> http://sysoev.ru/en/
> 

_________________________________________________________________
Get more out of the Web. Learn 10 hidden secrets of Windows Live.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008

More information about the nginx mailing list