cert handling on redirect of https subdomains

Martian Alien ufospy at hotmail.com
Fri Sep 12 04:27:09 MSD 2008


Interesting.  The reason for the limitation makes more sense now.  But why do the first *two* virtual domains (example.com and www.example.com) work?

>From what I read, only one should work...

All my certs were generated at the same time, and are essentially equivalent except they are tied to different subdomains.

Curious,
Martian

----------------------------------------
> Date: Thu, 11 Sep 2008 12:08:00 +0400
> From: is at rambler-co.ru
> To: nginx at sysoev.ru
> Subject: Re: cert handling on redirect of https subdomains
> 
> On Thu, Sep 11, 2008 at 07:56:56AM +0000, Martian Alien wrote:
> 
>> 
>>> Is api.example.com the same IP address as www.example.com ?
>> 
>> Yes, we are attempting to setup three virtual domains on the same machine, each with different SSL certificates.  The primary domain (www.example.com:443 default) works fine, as does the base domain (example.com:443).  But adding more virtual subdomains will return the wrong SSL cert.
> 
> You need at least three different IP addresses on the host:
> 
> http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
> 
> Otherwise you need wildcard certificate or certificate with alternative names.
> 
>> ----------------------------------------
>>> Date: Wed, 10 Sep 2008 08:42:41 +0400
>>> From: is at rambler-co.ru
>>> To: nginx at sysoev.ru
>>> Subject: Re: cert handling on redirect of https subdomains
>>> 
>>> On Wed, Sep 10, 2008 at 03:59:31AM +0000, Martian Alien wrote:
>>> 
>>>> Note that the base domain (example.com) redirects fine to WWW (www.example.com).  Then adding a 2nd subdomain, API (api.example.com), returns the WWW certificate rather than the API one and flags a trust concern in most browsers.  Tried a listen field with both api.example.com:443 and the local interface 127.0.0.1:443, all fail in the same way.  Redirect works fine except it returns the incorrect SSL certiicate.
>>>> 
>>>>   server {
>>>>     listen api.example.com:443;
>>>>     server_name  api.example.com api;
>>>> 
>>>>     ssl on;
>>>>     ssl_certificate /opt/local/nginx/certs/api.example.com.crt; 
>>>>     ssl_certificate_key /opt/local/nginx/certs/api.example.com.key; 
>>>> 
>>>>     rewrite ^/(.*) https://www.example.com/$1 permanent;
>>>>   }
>>>> 
>>>>   server {
>>>>     listen api.example.com:80;
>>>>     server_name  api.example.com api;
>>>>     rewrite ^/(.*) http://www.example.com/$1 permanent;
>>>>   }
>>>> 
>>>> Thanks again for looking into this concern,
>>> 
>>> Is api.example.com the same IP address as www.example.com ?
>>> 
>>>>> Date: Tue, 9 Sep 2008 10:22:15 +0400
>>>>> From: is at rambler-co.ru
>>>>> To: nginx at sysoev.ru
>>>>> Subject: Re: cert handling on redirect of https subdomains
>>>>> 
>>>>> On Tue, Sep 09, 2008 at 05:51:04AM +0000, Martian Alien wrote:
>>>>> 
>>>>>> Hi Nginx Group,
>>>>>> 
>>>>>> Just wanted to start off by saying nginx is a rad web server!  Na zdrowie!
>>>>>> 
>>>>>> So we've noticed some issues with setting up https ssl certificates over multiple subdomains.
>>>>>> 
>>>>>> The base domain (example.com) and the first subdomain (www.example.com) work beautifully:
>>>>>> 
>>>>>>   server {
>>>>>>     listen www.example.com:443 default;
>>>>>>     server_name www.example.com;
>>>>>> 
>>>>>>     ssl on;
>>>>>>     ssl_certificate /opt/local/nginx/certs/www.example.com.crt; 
>>>>>>     ssl_certificate_key /opt/local/nginx/certs/www.example.com.key; 
>>>>>> 
>>>>>>     location / {
>>>>>>       # ...
>>>>>>     }
>>>>>>   }
>>>>>> 
>>>>>>   server {
>>>>>> 
>>>>>>     listen www.example.com:80 default;
>>>>>> 
>>>>>>     server_name www.example.com;
>>>>>>     location / {
>>>>>> 
>>>>>>       # ...
>>>>>> 
>>>>>>     }
>>>>>> 
>>>>>>   }
>>>>>> 
>>>>>> 
>>>>>>   server {
>>>>>>     listen example.com:443;
>>>>>>     server_name  example.com;
>>>>>> 
>>>>>>     ssl on;
>>>>>>     ssl_certificate /opt/local/nginx/certs/example.com.crt; 
>>>>>>     ssl_certificate_key /opt/local/nginx/certs/example.com.key; 
>>>>>> 
>>>>>>     rewrite ^/(.*) https://www.example.com/$1 permanent;
>>>>>>   }
>>>>>> 
>>>>>>   server {
>>>>>>     server_name  example.com;
>>>>>>     rewrite ^/(.*) http://www.example.com/$1 permanent;
>>>>>>   }
>>>>>> 
>>>>>> NOW, If the following is added, the correct SSL cert for api.example.com is not loaded before the redirect, the www.example.com cert is loaded instead:
>>>>>> 
>>>>>>   server {
>>>>>>     listen 127.0.0.1:443;
>>>>>>     server_name  api.example.com api;
>>>>>> 
>>>>>>     ssl on;
>>>>>>     ssl_certificate /opt/local/nginx/certs/api.example.com.crt; 
>>>>>>     ssl_certificate_key /opt/local/nginx/certs/api.example.com.key; 
>>>>>> 
>>>>>>     rewrite ^/(.*) https://www.example.com/$1 permanent;
>>>>>>   }
>>>>>> 
>>>>>>   server {
>>>>>>     listen 127.0.0.1:80;
>>>>>>     server_name  api.example.com api;
>>>>>>     rewrite ^/(.*) http://www.example.com/$1 permanent;
>>>>>>   }
>>>>>> 
>>>>>> 
>>>>>> Any ideas on how,  to setup multiple SSL / HTTPS subdomains, each with their own cert in nginx?
>>>>>> 
>>>>>> I've tried many conf variants.  At this point, I'm suspecting it is a bug in nginx, but how would that be possible. =)
>>>>> 
>>>>> 127.0.0.1 is loopback interface, do you connect to it from outside ?
>>>>> 
>>>>> 
>>>>> -- 
>>>>> Igor Sysoev
>>>>> http://sysoev.ru/en/
>>>>> 
>>>> 
>>>> _________________________________________________________________
>>>> See how Windows Mobile brings your life together?at home, work, or on the go.
>>>> http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/
>>> 
>>> -- 
>>> Igor Sysoev
>>> http://sysoev.ru/en/
>>> 
>> 
>> _________________________________________________________________
>> Get more out of the Web. Learn 10 hidden secrets of Windows Live.
>> http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
> 
> -- 
> Igor Sysoev
> http://sysoev.ru/en/
> 

_________________________________________________________________
Get more out of the Web. Learn 10 hidden secrets of Windows Live.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008




More information about the nginx mailing list