Hello,
I have a SSL cert setup for a domain with no subdomain, i.e.
mydomain.org. And a server block setup to redirect all https 'www'
subdomain requests to the non subdomain server block. This works fine
in
Safari, FF, etc. But Chrome gives me a certificate domain name mismatch
warning ( The big red warning screen ) How can I prevent this? It's
like
Chrome checks the SSL cert name before even following the nginx
redirect.
Here's what I'm doing. Any help appreciated
server {
listen 443;
server_name www.mydomain.org;
return 301 $scheme://mydomain.org$request_uri;
ssl on;
ssl_certificate /etc/nginx/certs/new_sslchain.crt;
ssl_certificate_key /etc/nginx/certs/azcharters-10-29-12.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
}
server {
listen 443;
server_name mydomain.org;
root /home/deploy/apps/myapp/current/public;
passenger_enabled on;
ssl on;
ssl_certificate /etc/nginx/certs/new_sslchain.crt;
ssl_certificate_key /etc/nginx/certs/azcharters-10-29-12.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
}
--
Chris Irish
Burst Software
Rails Web Development
e: supairish@gmail.com
c: 623-523-2221
w: www.burstdev.com
w: www.christopherirish.com
<http://www.christopherirish.com>
on 2013-01-02 22:17
on 2013-01-02 22:34
On 2 January 2013 21:16, Chris Irish <supairish@gmail.com> wrote: > Hello, > I have a SSL cert setup for a domain with no subdomain, i.e. > mydomain.org. And a server block setup to redirect all https 'www' > subdomain requests to the non subdomain server block. This works fine in > Safari, FF, etc. But Chrome gives me a certificate domain name mismatch > warning ( The big red warning screen ) How can I prevent this? It's like > Chrome checks the SSL cert name before even following the nginx redirect. Of course it does. That's how SSL works. You're serving up the certificate for azcharters.org where browsers (it's not just Chrome!) are expecting one that identifies itself as belonging to www.azcharters.org. You need to serve up a certificate that matches www.azcharters.org in its Common Name (CN) or Subject Alternative Name (SAN), just for the redirect listener block. If you only have a single IP to serve both :443 listeners, by the way, you're out of luck with your current cert. You'd have to find an SSL vendor who'll sell you a single cert with (say) azcharters.org in the CN and www.azcharters.org in the SAN. This may be more expensive than you'd expect and - to be honest - I wouldn't bother. Regards, Jonathan -- Jonathan Matthews // Oxford, London, UK http://www.jpluscplusm.com/contact.html
on 2013-01-03 13:42
> You'd have to find an SSL vendor who'll sell you a single cert with (say) > azcharters.org in the CN and www.azcharters.org in the SAN. This may be > more expensive than you'd expect and - to be honest - I wouldn't bother. To avoid such issues quite many SSL vendors include the (www.) alternative name automatically (like Godaddy, Comodo and Geotrust for sure). rr
on 2013-01-03 20:04
Jonathan, Reinis, thank you both for your responses. That clarified things a lot! Posted at Nginx Forum: http://forum.nginx.org/read.php?2,234649,234666#msg-234666
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.