Nginx SNI and Letsencrypt on FreeBSD; Wrong certificate?
Maxim Dounin
mdounin at mdounin.ru
Mon Aug 29 10:49:10 UTC 2016
Hello!
On Mon, Aug 29, 2016 at 04:03:10AM -0400, NuLL3rr0r wrote:
[...]
> So make the long story short; The problem is no matter what I do nginx
> stubbornly serve's the wrong cert:
>
> $ curl --insecure -v https://babaei.net 2>&1 | awk 'BEGIN { cert=0 }
> /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
> * Server certificate:
> * subject: CN=babaei.net
> * start date: Aug 28 13:30:00 2016 GMT
> * expire date: Nov 26 13:30:00 2016 GMT
> * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
> * SSL certificate verify ok.
> * Connection #0 to host babaei.net left intact
>
> $ curl --insecure -v https://learnmyway.net 2>&1 | awk 'BEGIN { cert=0 }
> /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
> * Server certificate:
> * subject: CN=babaei.net
[...]
> So, let's say we have two domains alpha.com and omega.com. How would you
> configure SNI enabled nginx to serve the right SSL cert for each?
>
> server {
> server_tokens off;
>
> listen 443 ssl http2;
> listen [::]:443 ssl http2;
> server_name www.alpha.com;
Note that the name requested must be listed in the server_name
directive. Names not listed are expected to be handled in the
default server{} block, and probably this is what happens in your
case as you request names without "www", but your configuration
contains only names with "www" prefix.
Additional reading:
http://nginx.org/en/docs/http/server_names.html
http://nginx.org/en/docs/http/configuring_https_servers.html
> ssl on;
> ssl_certificate /path/to/alpha.com/cert.pem;
> ssl_certificate_key /path/to/alpha.com/key.pem;
Just a side note: "ssl on" is not needed as long as you use
"listen ... ssl".
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list