several ssl certs -> trouble

Nick Pearson nick.pearson at gmail.com
Thu Sep 10 19:06:10 MSD 2009


Make sure you give the IP address when listening on port 443.  (I
believe this is only necessary when you're using multiple certs on a
single box.)  Each SSL cert needs its own IP.  Until the browser
vendors (IE in specific) support multiple certs being hosted on a
single IP.

# www.domain.tld
server {
    listen  1.2.3.4:443;
    ...
}

# sub.domain.tld
server {
    listen  1.2.3.5:443;
    ...
}

This is due to the way the SSL handshake works.  The domain isn't sent
along with the original request -- only the IP.  So basically the
browser says "show me the certificate for this IP", at which point the
server doesn't know what domain the browser is expecting the
certificate to be for.  That's where a domain mismatch certificate
error will show up.

Nick


On Thu, Sep 10, 2009 at 9:29 AM, inbreed <nginx-forum at nginx.us> wrote:
> Hi,
>
> i installed nginx having 5-6 domains set up, each w/ some subdomains, runs well !
>
> now that i added some ssl-certificates, i noticed, that the server seems to use the same cert for all 443 serversettings.
>
> example, i have www.domain.tld and sub.domain.tld.
> using the www.. i get a pass on validation, sub instead, claims that the cert is for www. only.
>
> now is ee, there are different ssl-certs given in config and with different contents. reading the certdata also displays the sub instead of www for the 2nd cert.
>
> Since i am completely new to nginx and ssl itself, i wonder 1)how to solve this or 2) what information i can provide in order to get a solution for solving this issue.
>
> my structur is:
>
> nginx.conf: include /etc/nginx/sites-and-settings/*;
>
> in sites-and-settings, thers a file for each domain, like net.domain.www, net.domain.tld and so on.
> each contending at least one server { } part, one for :80 and one for :443.
>
> if anyone cares - or it matters ;)
>
> Kind Regards so far
> inbreed
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,6292,6292#msg-6292
>
>
>





More information about the nginx mailing list