Nginx SNI and Letsencrypt on FreeBSD; Wrong certificate?
NuLL3rr0r
nginx-forum at forum.nginx.org
Mon Aug 29 08:03:10 UTC 2016
Hi there,
I have a VPS with 14 domains and I setup letskencrypt to automatically
retrieve a separate certificate for each domain with all sub-domains
included. So, I have 14 certs. Obviously, putting all domains in one cert is
not an option because soon I'll hit the maximum 100 domain/sub-domain per
cert for Letsencrypt.
So, I was happy for a month until I found out that nginx serves wrong certs
for all domains except one (the one that it automatically picks up - or,
I'll set - as the default server for port 443). After a lot of headache I
found out that each SSL cert must have its own IP not a shared one. Then
also I found out there is SNI as a workaround for this issue.
$ nginx -V
TLS SNI support enabled
So make the long story short; The problem is no matter what I do nginx
stubbornly serve's the wrong cert:
$ curl --insecure -v https://babaei.net 2>&1 | awk 'BEGIN { cert=0 }
/^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
* Server certificate:
* subject: CN=babaei.net
* start date: Aug 28 13:30:00 2016 GMT
* expire date: Nov 26 13:30:00 2016 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Connection #0 to host babaei.net left intact
$ curl --insecure -v https://learnmyway.net 2>&1 | awk 'BEGIN { cert=0 }
/^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
* Server certificate:
* subject: CN=babaei.net
* start date: Aug 28 13:30:00 2016 GMT
* expire date: Nov 26 13:30:00 2016 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Connection #0 to host learnmyway.net left intact
$ curl --insecure -v https://3rr0r.org 2>&1 | awk 'BEGIN { cert=0 } /^\*
Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
* Server certificate:
* subject: CN=babaei.net
* start date: Aug 28 13:30:00 2016 GMT
* expire date: Nov 26 13:30:00 2016 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Connection #0 to host 3rr0r.org left intact
And, don't get me wrong the actual certs are what they are supposed to be:
$ openssl x509 -noout -subject -in /path/to/certs/babaei.net.pem
subject= /CN=babaei.net
$ openssl x509 -noout -subject -in /path/to/certs/learnmyway.net.pem
subject= /CN=learnmyway.net
$ openssl x509 -noout -subject -in /path/to/certs/3rr0r.org.pem
subject= /CN=3rr0r.org
So, let's say we have two domains alpha.com and omega.com. How would you
configure SNI enabled nginx to serve the right SSL cert for each?
server {
server_tokens off;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.alpha.com;
ssl on;
ssl_certificate /path/to/alpha.com/cert.pem;
ssl_certificate_key /path/to/alpha.com/key.pem;
}
server {
server_tokens off;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.omega.com;
ssl on;
ssl_certificate /path/to/omega.com/cert.pem;
ssl_certificate_key /path/to/omega.com/key.pem;
}
Thanks
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269263,269263#msg-269263
More information about the nginx
mailing list