Prevent Chrome SSL Domain Mismatch Warning When Redirecting

Server NGINX
1

Hello,
I have a SSL cert setup for a domain with no subdomain, i.e.
mydomain.org. And a server block setup to redirect all https ‘www’
subdomain requests to the non subdomain server block. This works fine
in
Safari, FF, etc. But Chrome gives me a certificate domain name mismatch
warning ( The big red warning screen ) How can I prevent this? It’s
like
Chrome checks the SSL cert name before even following the nginx
redirect.
Here’s what I’m doing. Any help appreciated

server {
listen 443;
server_name www.mydomain.org;

  return 301 $scheme://mydomain.org$request_uri;

  ssl                  on;
  ssl_certificate      /etc/nginx/certs/new_sslchain.crt;
  ssl_certificate_key  /etc/nginx/certs/azcharters-10-29-12.key;
  ssl_session_timeout  5m;
  ssl_protocols        SSLv2 SSLv3 TLSv1;
  ssl_ciphers

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
}

server {
listen 443;
server_name mydomain.org;
root /home/deploy/apps/myapp/current/public;
passenger_enabled on;

  ssl                  on;
  ssl_certificate /etc/nginx/certs/new_sslchain.crt;
  ssl_certificate_key /etc/nginx/certs/azcharters-10-29-12.key;
  ssl_session_timeout 5m;
  ssl_protocols  SSLv2 SSLv3 TLSv1;
  ssl_ciphers

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
}


Chris I.
Burst Software
Rails Web D.

e: [email protected]
c: 623-523-2221
w: www.burstdev.com
w: www.christopherirish.com
http://www.christopherirish.com

2

On 2 January 2013 21:16, Chris I. [email protected] wrote:

Hello,
I have a SSL cert setup for a domain with no subdomain, i.e.
mydomain.org. And a server block setup to redirect all https ‘www’
subdomain requests to the non subdomain server block. This works fine in
Safari, FF, etc. But Chrome gives me a certificate domain name mismatch
warning ( The big red warning screen ) How can I prevent this? It’s like
Chrome checks the SSL cert name before even following the nginx redirect.

Of course it does. That’s how SSL works.

You’re serving up the certificate for azcharters.org where browsers
(it’s not just Chrome!) are expecting one that identifies itself as
belonging to www.azcharters.org. You need to serve up a certificate
that matches www.azcharters.org in its Common Name (CN) or Subject
Alternative Name (SAN), just for the redirect listener block.

If you only have a single IP to serve both :443 listeners, by the way,
you’re out of luck with your current cert. You’d have to find an SSL
vendor who’ll sell you a single cert with (say) azcharters.org in the
CN and www.azcharters.org in the SAN. This may be more expensive than
you’d expect and - to be honest - I wouldn’t bother.

Regards,
Jonathan

Jonathan M. // Oxford, London, UK
http://www.jpluscplusm.com/contact.html

3

You’d have to find an SSL vendor who’ll sell you a single cert with (say)
azcharters.org in the CN and www.azcharters.org in the SAN. This may be
more expensive than you’d expect and - to be honest - I wouldn’t bother.

To avoid such issues quite many SSL vendors include the (www.)
alternative
name automatically (like Godaddy, Comodo and Geotrust for sure).

rr

4

Jonathan, Reinis, thank you both for your responses. That clarified
things
a lot!

Posted at Nginx Forum: