cert handling on redirect of https subdomains
Martian Alien
ufospy at hotmail.com
Fri Sep 12 04:27:09 MSD 2008
Interesting. The reason for the limitation makes more sense now. But why do the first *two* virtual domains (example.com and www.example.com) work?
>From what I read, only one should work...
All my certs were generated at the same time, and are essentially equivalent except they are tied to different subdomains.
Curious,
Martian
----------------------------------------
> Date: Thu, 11 Sep 2008 12:08:00 +0400
> From: is at rambler-co.ru
> To: nginx at sysoev.ru
> Subject: Re: cert handling on redirect of https subdomains
>
> On Thu, Sep 11, 2008 at 07:56:56AM +0000, Martian Alien wrote:
>
>>
>>> Is api.example.com the same IP address as www.example.com ?
>>
>> Yes, we are attempting to setup three virtual domains on the same machine, each with different SSL certificates. The primary domain (www.example.com:443 default) works fine, as does the base domain (example.com:443). But adding more virtual subdomains will return the wrong SSL cert.
>
> You need at least three different IP addresses on the host:
>
> http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
>
> Otherwise you need wildcard certificate or certificate with alternative names.
>
>> ----------------------------------------
>>> Date: Wed, 10 Sep 2008 08:42:41 +0400
>>> From: is at rambler-co.ru
>>> To: nginx at sysoev.ru
>>> Subject: Re: cert handling on redirect of https subdomains
>>>
>>> On Wed, Sep 10, 2008 at 03:59:31AM +0000, Martian Alien wrote:
>>>
>>>> Note that the base domain (example.com) redirects fine to WWW (www.example.com). Then adding a 2nd subdomain, API (api.example.com), returns the WWW certificate rather than the API one and flags a trust concern in most browsers. Tried a listen field with both api.example.com:443 and the local interface 127.0.0.1:443, all fail in the same way. Redirect works fine except it returns the incorrect SSL certiicate.
>>>>
>>>> server {
>>>> listen api.example.com:443;
>>>> server_name api.example.com api;
>>>>
>>>> ssl on;
>>>> ssl_certificate /opt/local/nginx/certs/api.example.com.crt;
>>>> ssl_certificate_key /opt/local/nginx/certs/api.example.com.key;
>>>>
>>>> rewrite ^/(.*) https://www.example.com/$1 permanent;
>>>> }
>>>>
>>>> server {
>>>> listen api.example.com:80;
>>>> server_name api.example.com api;
>>>> rewrite ^/(.*) http://www.example.com/$1 permanent;
>>>> }
>>>>
>>>> Thanks again for looking into this concern,
>>>
>>> Is api.example.com the same IP address as www.example.com ?
>>>
>>>>> Date: Tue, 9 Sep 2008 10:22:15 +0400
>>>>> From: is at rambler-co.ru
>>>>> To: nginx at sysoev.ru
>>>>> Subject: Re: cert handling on redirect of https subdomains
>>>>>
>>>>> On Tue, Sep 09, 2008 at 05:51:04AM +0000, Martian Alien wrote:
>>>>>
>>>>>> Hi Nginx Group,
>>>>>>
>>>>>> Just wanted to start off by saying nginx is a rad web server! Na zdrowie!
>>>>>>
>>>>>> So we've noticed some issues with setting up https ssl certificates over multiple subdomains.
>>>>>>
>>>>>> The base domain (example.com) and the first subdomain (www.example.com) work beautifully:
>>>>>>
>>>>>> server {
>>>>>> listen www.example.com:443 default;
>>>>>> server_name www.example.com;
>>>>>>
>>>>>> ssl on;
>>>>>> ssl_certificate /opt/local/nginx/certs/www.example.com.crt;
>>>>>> ssl_certificate_key /opt/local/nginx/certs/www.example.com.key;
>>>>>>
>>>>>> location / {
>>>>>> # ...
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> server {
>>>>>>
>>>>>> listen www.example.com:80 default;
>>>>>>
>>>>>> server_name www.example.com;
>>>>>> location / {
>>>>>>
>>>>>> # ...
>>>>>>
>>>>>> }
>>>>>>
>>>>>> }
>>>>>>
>>>>>>
>>>>>> server {
>>>>>> listen example.com:443;
>>>>>> server_name example.com;
>>>>>>
>>>>>> ssl on;
>>>>>> ssl_certificate /opt/local/nginx/certs/example.com.crt;
>>>>>> ssl_certificate_key /opt/local/nginx/certs/example.com.key;
>>>>>>
>>>>>> rewrite ^/(.*) https://www.example.com/$1 permanent;
>>>>>> }
>>>>>>
>>>>>> server {
>>>>>> server_name example.com;
>>>>>> rewrite ^/(.*) http://www.example.com/$1 permanent;
>>>>>> }
>>>>>>
>>>>>> NOW, If the following is added, the correct SSL cert for api.example.com is not loaded before the redirect, the www.example.com cert is loaded instead:
>>>>>>
>>>>>> server {
>>>>>> listen 127.0.0.1:443;
>>>>>> server_name api.example.com api;
>>>>>>
>>>>>> ssl on;
>>>>>> ssl_certificate /opt/local/nginx/certs/api.example.com.crt;
>>>>>> ssl_certificate_key /opt/local/nginx/certs/api.example.com.key;
>>>>>>
>>>>>> rewrite ^/(.*) https://www.example.com/$1 permanent;
>>>>>> }
>>>>>>
>>>>>> server {
>>>>>> listen 127.0.0.1:80;
>>>>>> server_name api.example.com api;
>>>>>> rewrite ^/(.*) http://www.example.com/$1 permanent;
>>>>>> }
>>>>>>
>>>>>>
>>>>>> Any ideas on how, to setup multiple SSL / HTTPS subdomains, each with their own cert in nginx?
>>>>>>
>>>>>> I've tried many conf variants. At this point, I'm suspecting it is a bug in nginx, but how would that be possible. =)
>>>>>
>>>>> 127.0.0.1 is loopback interface, do you connect to it from outside ?
>>>>>
>>>>>
>>>>> --
>>>>> Igor Sysoev
>>>>> http://sysoev.ru/en/
>>>>>
>>>>
>>>> _________________________________________________________________
>>>> See how Windows Mobile brings your life together?at home, work, or on the go.
>>>> http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/
>>>
>>> --
>>> Igor Sysoev
>>> http://sysoev.ru/en/
>>>
>>
>> _________________________________________________________________
>> Get more out of the Web. Learn 10 hidden secrets of Windows Live.
>> http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
>
> --
> Igor Sysoev
> http://sysoev.ru/en/
>
_________________________________________________________________
Get more out of the Web. Learn 10 hidden secrets of Windows Live.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
More information about the nginx
mailing list