i installed nginx having 5-6 domains set up, each w/ some subdomains,
runs well !
now that i added some ssl-certificates, i noticed, that the server seems
to use the same cert for all 443 serversettings.
example, i have www.domain.tld and sub.domain.tld.
using the www… i get a pass on validation, sub instead, claims that the
cert is for www. only.
now is ee, there are different ssl-certs given in config and with
different contents. reading the certdata also displays the sub instead
of www for the 2nd cert.
Since i am completely new to nginx and ssl itself, i wonder 1)how to
solve this or 2) what information i can provide in order to get a
solution for solving this issue.
my structur is:
nginx.conf: include /etc/nginx/sites-and-settings/*;
in sites-and-settings, thers a file for each domain, like
net.domain.www, net.domain.tld and so on.
each contending at least one server { } part, one for :80 and one for
:443.
Make sure you give the IP address when listening on port 443. (I
believe this is only necessary when you’re using multiple certs on a
single box.) Each SSL cert needs its own IP. Until the browser
vendors (IE in specific) support multiple certs being hosted on a
single IP.
www.domain.tld
server {
listen 1.2.3.4:443;
…
}
sub.domain.tld
server {
listen 1.2.3.5:443;
…
}
This is due to the way the SSL handshake works. The domain isn’t sent
along with the original request – only the IP. So basically the
browser says “show me the certificate for this IP”, at which point the
server doesn’t know what domain the browser is expecting the
certificate to be for. That’s where a domain mismatch certificate
error will show up.
On Thu, Sep 10, 2009 at 10:29:23AM -0400, inbreed wrote:
Since i am completely new to nginx and ssl itself, i wonder 1)how to solve this or 2) what information i can provide in order to get a solution for solving this issue.
my structur is:
nginx.conf: include /etc/nginx/sites-and-settings/*;
in sites-and-settings, thers a file for each domain, like net.domain.www, net.domain.tld and so on.
each contending at least one server { } part, one for :80 and one for :443.