cert handling on redirect of https subdomains

Tit Petric black at scene-si.org
Thu Sep 11 12:18:39 MSD 2008 

I think what you are trying to do is impossible. A ssl connection needs 
to be established before the virtual host is known. To my knowledge this 
limits you to only one certificate per IP.

Martian Alien wrote:
>> Is api.example.com the same IP address as www.example.com ?
>>     
>
> Yes, we are attempting to setup three virtual domains on the same machine, each with different SSL certificates.  The primary domain (www.example.com:443 default) works fine, as does the base domain (example.com:443).  But adding more virtual subdomains will return the wrong SSL cert.
>
> Martian
>
>
> ----------------------------------------
>   
>> Date: Wed, 10 Sep 2008 08:42:41 +0400
>> From: is at rambler-co.ru
>> To: nginx at sysoev.ru
>> Subject: Re: cert handling on redirect of https subdomains
>>
>> On Wed, Sep 10, 2008 at 03:59:31AM +0000, Martian Alien wrote:
>>
>>     
>>> Note that the base domain (example.com) redirects fine to WWW (www.example.com).  Then adding a 2nd subdomain, API (api.example.com), returns the WWW certificate rather than the API one and flags a trust concern in most browsers.  Tried a listen field with both api.example.com:443 and the local interface 127.0.0.1:443, all fail in the same way.  Redirect works fine except it returns the incorrect SSL certiicate.
>>>
>>>   server {
>>>     listen api.example.com:443;
>>>     server_name  api.example.com api;
>>>
>>>     ssl on;
>>>     ssl_certificate /opt/local/nginx/certs/api.example.com.crt; 
>>>     ssl_certificate_key /opt/local/nginx/certs/api.example.com.key; 
>>>
>>>     rewrite ^/(.*) https://www.example.com/$1 permanent;
>>>   }
>>>
>>>   server {
>>>     listen api.example.com:80;
>>>     server_name  api.example.com api;
>>>     rewrite ^/(.*) http://www.example.com/$1 permanent;
>>>   }
>>>
>>> Thanks again for looking into this concern,
>>>       
>> Is api.example.com the same IP address as www.example.com ?
>>
>>     
>>>> Date: Tue, 9 Sep 2008 10:22:15 +0400
>>>> From: is at rambler-co.ru
>>>> To: nginx at sysoev.ru
>>>> Subject: Re: cert handling on redirect of https subdomains
>>>>
>>>> On Tue, Sep 09, 2008 at 05:51:04AM +0000, Martian Alien wrote:
>>>>
>>>>         
>>>>> Hi Nginx Group,
>>>>>
>>>>> Just wanted to start off by saying nginx is a rad web server!  Na zdrowie!
>>>>>
>>>>> So we've noticed some issues with setting up https ssl certificates over multiple subdomains.
>>>>>
>>>>> The base domain (example.com) and the first subdomain (www.example.com) work beautifully:
>>>>>
>>>>>   server {
>>>>>     listen www.example.com:443 default;
>>>>>     server_name www.example.com;
>>>>>
>>>>>     ssl on;
>>>>>     ssl_certificate /opt/local/nginx/certs/www.example.com.crt; 
>>>>>     ssl_certificate_key /opt/local/nginx/certs/www.example.com.key; 
>>>>>
>>>>>     location / {
>>>>>       # ...
>>>>>     }
>>>>>   }
>>>>>
>>>>>   server {
>>>>>
>>>>>     listen www.example.com:80 default;
>>>>>
>>>>>     server_name www.example.com;
>>>>>     location / {
>>>>>
>>>>>       # ...
>>>>>
>>>>>     }
>>>>>
>>>>>   }
>>>>>
>>>>>
>>>>>   server {
>>>>>     listen example.com:443;
>>>>>     server_name  example.com;
>>>>>
>>>>>     ssl on;
>>>>>     ssl_certificate /opt/local/nginx/certs/example.com.crt; 
>>>>>     ssl_certificate_key /opt/local/nginx/certs/example.com.key; 
>>>>>
>>>>>     rewrite ^/(.*) https://www.example.com/$1 permanent;
>>>>>   }
>>>>>
>>>>>   server {
>>>>>     server_name  example.com;
>>>>>     rewrite ^/(.*) http://www.example.com/$1 permanent;
>>>>>   }
>>>>>
>>>>> NOW, If the following is added, the correct SSL cert for api.example.com is not loaded before the redirect, the www.example.com cert is loaded instead:
>>>>>
>>>>>   server {
>>>>>     listen 127.0.0.1:443;
>>>>>     server_name  api.example.com api;
>>>>>
>>>>>     ssl on;
>>>>>     ssl_certificate /opt/local/nginx/certs/api.example.com.crt; 
>>>>>     ssl_certificate_key /opt/local/nginx/certs/api.example.com.key; 
>>>>>
>>>>>     rewrite ^/(.*) https://www.example.com/$1 permanent;
>>>>>   }
>>>>>
>>>>>   server {
>>>>>     listen 127.0.0.1:80;
>>>>>     server_name  api.example.com api;
>>>>>     rewrite ^/(.*) http://www.example.com/$1 permanent;
>>>>>   }
>>>>>
>>>>>
>>>>> Any ideas on how,  to setup multiple SSL / HTTPS subdomains, each with their own cert in nginx?
>>>>>
>>>>> I've tried many conf variants.  At this point, I'm suspecting it is a bug in nginx, but how would that be possible. =)
>>>>>           
>>>> 127.0.0.1 is loopback interface, do you connect to it from outside ?
>>>>
>>>>
>>>> -- 
>>>> Igor Sysoev
>>>> http://sysoev.ru/en/
>>>>
>>>>         
>>> _________________________________________________________________
>>> See how Windows Mobile brings your life together?at home, work, or on the go.
>>> http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/
>>>       
>> -- 
>> Igor Sysoev
>> http://sysoev.ru/en/
>>
>>     
>
> _________________________________________________________________
> Get more out of the Web. Learn 10 hidden secrets of Windows Live.
> http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
>

More information about the nginx mailing list