Multiple certs on one server

David J. david at styleflare.com
Fri Dec 31 15:28:58 MSK 2010 

I was trying to take a second look at this.

I get this error (Error code: ssl_error_rx_record_too_long)

I am just testing the solution using self-signed certs.


Here is my server-blocks.

server {
         index index.html;
         listen       80;
         listen 443;
         server_name  domain1.com;
         root        /var/www/www.domain1.com/;
         access_log  /var/log/nginx/domain1.com.access.log;


         ssl off;
         ssl_certificate /apps/ssl/domain1.crt;
         ssl_certificate_key /apps/ssl/domain1.key;
         #ssl_prefer_server_ciphers       on;
         #ssl_ciphers HIGH:!ADH;

         ...

}


server {
         index index.html;
         listen       80;
         listen 443;
         server_name  domain2.com;
         root        /var/www/www.domain2.com/;
         access_log  /var/log/nginx/domain2.com.access.log;


         ssl off;
         ssl_certificate /apps/ssl/domain2.crt;
         ssl_certificate_key /apps/ssl/domain2.key;
         #ssl_prefer_server_ciphers       on;
         #ssl_ciphers HIGH:!ADH;

         ...

}


On 12/22/10 12:18 AM, David Newman wrote:
> On 12/20/2010 05:03 PM, David J. wrote:
>> On the topic of SSL;
>>
>> Is there any possible way to run multiple certs on one IP?
>>
>> I dont think this is possible as per the SPEC; But I am not an expert.
> Me neither, but there's nothing wrong with this. The CN in a cert is
> bound to a string such as a hostname, not to an IP address. (The string
> could also be someone's name, or any other text, including an IP address
> -- but as a text string). SSL works above the network layer and doesn't
> care about L3 addressing.
>
> So, if you've got multiple virtual hosts on a single IP address, you
> have a couple of choices:
>
> a. Use one cert per virtual host
>
> b. Use one cert for all virtual hosts and chain them using the
> subjectAltName parameter in openssl.cnf. This is what I did on the
> server in the original post in this thread.
>
> Here's a thread from a few years ago when I was getting (b) set up:
>
> http://readlist.com/lists/openssl.org/openssl-users/0/4040.html
>
> You can buy chained certs that do this from multiple registrars; I got
> one from GoDaddy but concur with others' description about the GD web site.
>
> dn
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx
>

More information about the nginx mailing list