cert handling on redirect of https subdomains
Igor Sysoev
is at rambler-co.ru
Fri Sep 12 10:03:31 MSD 2008
On Fri, Sep 12, 2008 at 12:27:09AM +0000, Martian Alien wrote:
> Interesting. The reason for the limitation makes more sense now. But why do the first *two* virtual domains (example.com and www.example.com) work?
>
> >From what I read, only one should work...
>
> All my certs were generated at the same time, and are essentially equivalent except they are tied to different subdomains.
Yes, the only www.example.com should work if all three sites listen on
single IP address. I do not know why https://example.com works in you case.
The only idea crosses my mind: some time ago you might store this exception
in your browser. Try to use some fresh browser or to look inside browser
security settings.
> ----------------------------------------
> > Date: Thu, 11 Sep 2008 12:08:00 +0400
> > From: is at rambler-co.ru
> > To: nginx at sysoev.ru
> > Subject: Re: cert handling on redirect of https subdomains
> >
> > On Thu, Sep 11, 2008 at 07:56:56AM +0000, Martian Alien wrote:
> >
> >>
> >>> Is api.example.com the same IP address as www.example.com ?
> >>
> >> Yes, we are attempting to setup three virtual domains on the same machine, each with different SSL certificates. The primary domain (www.example.com:443 default) works fine, as does the base domain (example.com:443). But adding more virtual subdomains will return the wrong SSL cert.
> >
> > You need at least three different IP addresses on the host:
> >
> > http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
> >
> > Otherwise you need wildcard certificate or certificate with alternative names.
> >
> >> ----------------------------------------
> >>> Date: Wed, 10 Sep 2008 08:42:41 +0400
> >>> From: is at rambler-co.ru
> >>> To: nginx at sysoev.ru
> >>> Subject: Re: cert handling on redirect of https subdomains
> >>>
> >>> On Wed, Sep 10, 2008 at 03:59:31AM +0000, Martian Alien wrote:
> >>>
> >>>> Note that the base domain (example.com) redirects fine to WWW (www.example.com). Then adding a 2nd subdomain, API (api.example.com), returns the WWW certificate rather than the API one and flags a trust concern in most browsers. Tried a listen field with both api.example.com:443 and the local interface 127.0.0.1:443, all fail in the same way. Redirect works fine except it returns the incorrect SSL certiicate.
> >>>>
> >>>> server {
> >>>> listen api.example.com:443;
> >>>> server_name api.example.com api;
> >>>>
> >>>> ssl on;
> >>>> ssl_certificate /opt/local/nginx/certs/api.example.com.crt;
> >>>> ssl_certificate_key /opt/local/nginx/certs/api.example.com.key;
> >>>>
> >>>> rewrite ^/(.*) https://www.example.com/$1 permanent;
> >>>> }
> >>>>
> >>>> server {
> >>>> listen api.example.com:80;
> >>>> server_name api.example.com api;
> >>>> rewrite ^/(.*) http://www.example.com/$1 permanent;
> >>>> }
> >>>>
> >>>> Thanks again for looking into this concern,
> >>>
> >>> Is api.example.com the same IP address as www.example.com ?
> >>>
> >>>>> Date: Tue, 9 Sep 2008 10:22:15 +0400
> >>>>> From: is at rambler-co.ru
> >>>>> To: nginx at sysoev.ru
> >>>>> Subject: Re: cert handling on redirect of https subdomains
> >>>>>
> >>>>> On Tue, Sep 09, 2008 at 05:51:04AM +0000, Martian Alien wrote:
> >>>>>
> >>>>>> Hi Nginx Group,
> >>>>>>
> >>>>>> Just wanted to start off by saying nginx is a rad web server! Na zdrowie!
> >>>>>>
> >>>>>> So we've noticed some issues with setting up https ssl certificates over multiple subdomains.
> >>>>>>
> >>>>>> The base domain (example.com) and the first subdomain (www.example.com) work beautifully:
> >>>>>>
> >>>>>> server {
> >>>>>> listen www.example.com:443 default;
> >>>>>> server_name www.example.com;
> >>>>>>
> >>>>>> ssl on;
> >>>>>> ssl_certificate /opt/local/nginx/certs/www.example.com.crt;
> >>>>>> ssl_certificate_key /opt/local/nginx/certs/www.example.com.key;
> >>>>>>
> >>>>>> location / {
> >>>>>> # ...
> >>>>>> }
> >>>>>> }
> >>>>>>
> >>>>>> server {
> >>>>>>
> >>>>>> listen www.example.com:80 default;
> >>>>>>
> >>>>>> server_name www.example.com;
> >>>>>> location / {
> >>>>>>
> >>>>>> # ...
> >>>>>>
> >>>>>> }
> >>>>>>
> >>>>>> }
> >>>>>>
> >>>>>>
> >>>>>> server {
> >>>>>> listen example.com:443;
> >>>>>> server_name example.com;
> >>>>>>
> >>>>>> ssl on;
> >>>>>> ssl_certificate /opt/local/nginx/certs/example.com.crt;
> >>>>>> ssl_certificate_key /opt/local/nginx/certs/example.com.key;
> >>>>>>
> >>>>>> rewrite ^/(.*) https://www.example.com/$1 permanent;
> >>>>>> }
> >>>>>>
> >>>>>> server {
> >>>>>> server_name example.com;
> >>>>>> rewrite ^/(.*) http://www.example.com/$1 permanent;
> >>>>>> }
> >>>>>>
> >>>>>> NOW, If the following is added, the correct SSL cert for api.example.com is not loaded before the redirect, the www.example.com cert is loaded instead:
> >>>>>>
> >>>>>> server {
> >>>>>> listen 127.0.0.1:443;
> >>>>>> server_name api.example.com api;
> >>>>>>
> >>>>>> ssl on;
> >>>>>> ssl_certificate /opt/local/nginx/certs/api.example.com.crt;
> >>>>>> ssl_certificate_key /opt/local/nginx/certs/api.example.com.key;
> >>>>>>
> >>>>>> rewrite ^/(.*) https://www.example.com/$1 permanent;
> >>>>>> }
> >>>>>>
> >>>>>> server {
> >>>>>> listen 127.0.0.1:80;
> >>>>>> server_name api.example.com api;
> >>>>>> rewrite ^/(.*) http://www.example.com/$1 permanent;
> >>>>>> }
> >>>>>>
> >>>>>>
> >>>>>> Any ideas on how, to setup multiple SSL / HTTPS subdomains, each with their own cert in nginx?
> >>>>>>
> >>>>>> I've tried many conf variants. At this point, I'm suspecting it is a bug in nginx, but how would that be possible. =)
> >>>>>
> >>>>> 127.0.0.1 is loopback interface, do you connect to it from outside ?
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Igor Sysoev
> >>>>> http://sysoev.ru/en/
> >>>>>
> >>>>
> >>>> _________________________________________________________________
> >>>> See how Windows Mobile brings your life together?at home, work, or on the go.
> >>>> http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/
> >>>
> >>> --
> >>> Igor Sysoev
> >>> http://sysoev.ru/en/
> >>>
> >>
> >> _________________________________________________________________
> >> Get more out of the Web. Learn 10 hidden secrets of Windows Live.
> >> http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
>
> _________________________________________________________________
> Get more out of the Web. Learn 10 hidden secrets of Windows Live.
> http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list