Nginx not loading different certs on two hosts

Maxim Dounin mdounin at mdounin.ru
Thu Dec 10 14:42:16 UTC 2020 

Hello!

On Wed, Dec 09, 2020 at 11:34:38PM +0200, Nikolaos Milas wrote:

> Hello,
> 
> On a Centos 7 with nginx-1.18.0 I have configured two vhosts, as follows:
> 
> First one:
> 
> server {
> 
>      listen [::]:80 ipv6only=off;
> 
>      listen    443 ssl http2 default deferred;
>      listen    [::]:443 ssl http2 default deferred;
> 
>      server_name  site1.world.example.com;
> 
>      ssl_certificate     /etc/pki/tls/certs/star_world.crt;
>      ssl_certificate_key /etc/pki/tls/private/star_world.key;
> 
>      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>      ssl_ciphers 
> 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED';
>      ssl_prefer_server_ciphers on;
> 
>      ssl_session_cache shared:SSL:50m;
>      ssl_session_timeout  1d;
>      ssl_session_tickets off;
> 
>      ssl_dhparam /etc/pki/tls/certs/dhparam.pem;
>      ...
> 
> and the second:
> 
> server {
>      listen [::]:80;
>      listen [::]:443 ssl;
>      server_name  site2.local.world.example.com;
> 
>      ssl_certificate     /etc/pki/tls/certs/star_local_world.cer;
>      ssl_certificate_key /etc/pki/tls/private/star_local_world.key;
> 
>      ssl_protocols TLSv1.1 TLSv1.2;
>      ssl_ciphers 
> 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED';
>      ssl_prefer_server_ciphers on;
> 
>      ssl_session_cache shared:SSL:50m;
>      ssl_session_timeout  1d;
>      ssl_session_tickets off;
> 
>      ssl_dhparam /etc/pki/tls/certs/dhparam.pem;
>      ...
> 
> However, while the first one works correctly, the second one is clearly 
> using the SSL certs of the first vhost (and thus it produces a Risk 
> warning due to mismatch between name-cert) and not the ones configured 
> in its own config (the second).
> 
> (I confirmed that SNI support is enabled.)
> 
> What am I doing wrong? (Obviously I am a very basic nginx user.)

How do you test it?  Note well that the second vhost is only 
available on port 443 via IPv6.

> Finally, what is the best way to successfully listen (i.e. the suggested 
> way to configure the "listen" directives) to 80 and 443 ports on both 
> IPv4 and IPv6 on all hosts (each and every one of them)?

The recommended approach is to list all relevant "listen" 
directives in all relevant servers.  That is, for 80 ad 443 ports 
on both IPv4 and IPv6 you have to use (assuming no "ipv6only=off"):

    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;

If this looks too complex, consider using an include with all 
these listen directives (http://nginx.org/r/include).  Note though 
that using includes might introduce additional configuration 
errors by hiding parts of the configuration, so I usually 
recommend to refrain from using includes (except may be a few 
standard ones, such as mime.types) and use single self-consistent 
nginx.conf instead.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list