Nginx SNI and Letsencrypt on FreeBSD; Wrong certificate?

NuLL3rr0r nginx-forum at forum.nginx.org
Mon Aug 29 08:03:10 UTC 2016


Hi there,

I have a VPS with 14 domains and I setup letskencrypt to automatically
retrieve a separate certificate for each domain with all sub-domains
included. So, I have 14 certs. Obviously, putting all domains in one cert is
not an option because soon I'll hit the maximum 100 domain/sub-domain per
cert for Letsencrypt.

So, I was happy for a month until I found out that nginx serves wrong certs
for all domains except one (the one that it automatically picks up - or,
I'll set - as the default server for port 443). After a lot of headache I
found out that each SSL cert must have its own IP not a shared one. Then
also I found out there is SNI as a workaround for this issue.


    $ nginx -V
    TLS SNI support enabled


So make the long story short; The problem is no matter what I do nginx
stubbornly serve's the wrong cert:

    $ curl --insecure -v https://babaei.net 2>&1 | awk 'BEGIN { cert=0 }
/^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
    * Server certificate:
    *  subject: CN=babaei.net
    *  start date: Aug 28 13:30:00 2016 GMT
    *  expire date: Nov 26 13:30:00 2016 GMT
    *  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
    *  SSL certificate verify ok.
    * Connection #0 to host babaei.net left intact

    $ curl --insecure -v https://learnmyway.net 2>&1 | awk 'BEGIN { cert=0 }
/^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
    * Server certificate:
    *  subject: CN=babaei.net
    *  start date: Aug 28 13:30:00 2016 GMT
    *  expire date: Nov 26 13:30:00 2016 GMT
    *  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
    *  SSL certificate verify ok.
    * Connection #0 to host learnmyway.net left intact

    $ curl --insecure -v https://3rr0r.org 2>&1 | awk 'BEGIN { cert=0 } /^\*
Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
    * Server certificate:
    *  subject: CN=babaei.net
    *  start date: Aug 28 13:30:00 2016 GMT
    *  expire date: Nov 26 13:30:00 2016 GMT
    *  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
    *  SSL certificate verify ok.
    * Connection #0 to host 3rr0r.org left intact

And, don't get me wrong the actual certs are what they are supposed to be:

    $ openssl x509 -noout -subject -in /path/to/certs/babaei.net.pem
    subject= /CN=babaei.net

    $ openssl x509 -noout -subject -in /path/to/certs/learnmyway.net.pem
    subject= /CN=learnmyway.net

    $ openssl x509 -noout -subject -in /path/to/certs/3rr0r.org.pem
    subject= /CN=3rr0r.org

So, let's say we have two domains alpha.com and omega.com. How would you
configure SNI enabled nginx to serve the right SSL cert for each?

    server {
      server_tokens  off;

      listen  443 ssl http2;
      listen  [::]:443 ssl http2;
      server_name  www.alpha.com;

      ssl  on;
      ssl_certificate  /path/to/alpha.com/cert.pem;
      ssl_certificate_key /path/to/alpha.com/key.pem;
    }

    server {
      server_tokens  off;

      listen  443 ssl http2;
      listen  [::]:443 ssl http2;
      server_name  www.omega.com;

      ssl  on;
      ssl_certificate  /path/to/omega.com/cert.pem;
      ssl_certificate_key /path/to/omega.com/key.pem;
    }

Thanks

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269263,269263#msg-269263



More information about the nginx mailing list