Nginx not loading different certs on two hosts

Maxim Dounin mdounin at
Sat Dec 12 00:54:24 UTC 2020


On Fri, Dec 11, 2020 at 01:44:06PM +0200, Nikolaos Milas wrote:

> On 10/12/2020 4:42 μ.μ., Maxim Dounin wrote:
> > How do you test it?  Note well that the second vhost is only
> > available on port 443 via IPv6.
> >> Finally, what is the best way to successfully listen (i.e. the suggested
> >> way to configure the "listen" directives) to 80 and 443 ports on both
> >> IPv4 and IPv6 on all hosts (each and every one of them)?
> > The recommended approach is to list all relevant "listen"
> > directives in all relevant servers.
> Hi Maxim,
> Thank you for your reply!
> I used the listen directives as you suggested on both vhosts and then I 
> retried. After restarting nginx, both vhosts worked fine, both with http 
> and https!
> Please note that with the initial config (as I had sent it), the second 
> vhost was in fact responding to IPv4 clients as well, (through the use 
> of ipv4-mapped ipv6 addresses). Actually, the second vhost used to work 
> ONLY with http.
> When the second site was being accessed via https, it would produce an 
> SSL warning, and by checking the certificate details I could see that it 
> was the one used for the first vhost.

That's because the second vhosts has IPv6 listening socket on port 
80 configured with "ipv6only=off", so it accepted both IPv6 and 
IPv4 connections.  In contrast, IPv6 socket on port 443 (the one  
used for https) is _not_ configured with "ipv6only=off", so it 
only accepts IPv6 connections, but not IPv4.  And the separate 
IPv4 listening socket on port 443 was only configured in the first 
vhost, but not in the second one.  As such, all IPv4 https 
connections were handled by the first vhost only.


> I haven't been able to understand the above described behavior! In any 
> case, everything works fine now!

Glad it works now, and hope the previous behaviour is clear now as 
well: it is a result of no IPv4 listening socket on port 443 in 
the second vhost in the original configuration.

Maxim Dounin

More information about the nginx mailing list