Forum: NGINX Multiple SSL certificates

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-21 10:42
(Received via mailing list)
Hi,

I can't manage to define multiple SSL certificates for each of my
server {} directive.

Only 1 SSL certificate is being sent by Nginx, thus creating warnings
in my browser when I want to access a different domain name which uses
a different certificate. Is that possible to do? In each server {}
block I have defined the exact server_name so Nginx should know where
to go.
Fda08117336cfde6562315df04b976e8?d=identicon&s=25 Dave Cheney (Guest)
on 2008-10-21 11:06
(Received via mailing list)
SSL is negotiated at the connection level, before the http headers are
transmitted.

You will need to setup a separate IP for each SSL certificate you wish
to host.

Cheers

Dave
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-21 11:11
(Received via mailing list)
Should I actually concatenate my 2 certificates into one file? Would
that thing work?

I cannot have separate IP for each certificate, as I will be hosting
many different websites that each use different certificates. I could
use a wildcard certificate and do a redirection such as
site1.mainsite.com, but I find it's an ugly solution.
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-21 11:33
(Received via mailing list)
After some research it seems that as Dave said, the only solution is
to set a different IP address for each certificate (what a pain).

So I did that:

server {
listen IP1:443;
...
}

server {
listen IP2:443;
...
}

But Nginx fails to start, and testing the configuration file returns a
failure but no error message.
Fda08117336cfde6562315df04b976e8?d=identicon&s=25 Dave Cheney (Guest)
on 2008-10-21 11:44
(Received via mailing list)
On 21/10/2008, at 8:04 PM, Thomas wrote:

> Should I actually concatenate my 2 certificates into one file? Would
> that thing work?

Nope, and even if it did you would need some way of indicating which
certificate goes with which host, and your back to square one.

> I cannot have separate IP for each certificate, as I will be hosting
> many different websites that each use different certificates. I could
> use a wildcard certificate and do a redirection such as
> site1.mainsite.com, but I find it's an ugly solution.

If you have

mysite.com

and

myothersite.net

this won't work

If you want to have

site1.mysite.com

and

site2.mysite.com

then a wildcard will help.

Cheers

Dave
Fda08117336cfde6562315df04b976e8?d=identicon&s=25 Dave Cheney (Guest)
on 2008-10-21 11:46
(Received via mailing list)
> server {
> listen IP2:443;
> ...
> }
>
> But Nginx fails to start, and testing the configuration file returns a
> failure but no error message.

Hmmm, that sounds weird. Set your error log to debug and HUP nginx
again while tailing the file. If you can kill -TERM nginx, make sure
its stopped and try starting it again. If it can't start, because of
some config error, I believe it will print it to stderr.

Cheers

Dave
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-21 11:48
(Received via mailing list)
I will use the IP based solution. However I am having problems, when I
specify: "listen myIP:443", Nginx configuration file tester fails. Why
is that happening?
Fda08117336cfde6562315df04b976e8?d=identicon&s=25 Dave Cheney (Guest)
on 2008-10-21 11:56
(Received via mailing list)
Is that IP bound to your server.

I just added this stanza to my config

server {
  listen 100.100.100.100;
}

and got

[root@b02s04mr ~]# nginx -t
2008/10/21 05:50:10 [info] 28274#0: the configuration file /etc/nginx/
nginx.conf syntax is ok
2008/10/21 05:50:10 [emerg] 28274#0: the configuration file /etc/nginx/
nginx.conf test failed

Cheers

Dave
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-21 11:58
(Received via mailing list)
Here is the error message:
--
2008/10/21 11:52:46 [emerg] 22020#0: bind() to IP:443 failed (99:
Cannot assign requested address)
--

What does it mean?
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2008-10-21 11:58
(Received via mailing list)
On Tue, Oct 21, 2008 at 11:23:15AM +0200, Thomas wrote:

> server {
> listen IP2:443;
> ...
> }
>
> But Nginx fails to start, and testing the configuration file returns a
> failure but no error message.

Do you mean that "nginx -t" shows something like this:

the configuration file ... syntax is ok
the configuration file ... test failed

?

Could look inside main error_log for messages ?
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2008-10-21 11:59
(Received via mailing list)
On Tue, Oct 21, 2008 at 08:50:44PM +1100, Dave Cheney wrote:

> [root@b02s04mr ~]# nginx -t
> 2008/10/21 05:50:10 [info] 28274#0: the configuration file /etc/nginx/
> nginx.conf syntax is ok
> 2008/10/21 05:50:10 [emerg] 28274#0: the configuration file /etc/nginx/
> nginx.conf test failed

Yes, there is bug/feature when nginx shows this error message in
error_log onlya, but not to stderr.
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2008-10-21 12:00
(Received via mailing list)
On Tue, Oct 21, 2008 at 11:52:18AM +0200, Thomas wrote:

> Here is the error message:
> --
> 2008/10/21 11:52:46 [emerg] 22020#0: bind() to IP:443 failed (99:
> Cannot assign requested address)
> --
>
> What does it mean?

This means that you have not configured this IP on the host.
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-21 12:12
(Received via mailing list)
So I tried with my real IP server, and it works. But when I add my IP
failover, it doesn't.

How do I configure the IP on the host? Why would the host need to be
aware of its IP? Moreover, Nginx is running in a virtual machine, the
only IPs it is aware of are 127.0.0.1 and 10.0.0.1

And why do I need to configure any IP, as Nginx works with the real IP
of my server, why is it not working with the IP failover? By the way
the IP failover is correctly pointing to my server.
Fda08117336cfde6562315df04b976e8?d=identicon&s=25 Dave Cheney (Guest)
on 2008-10-21 12:43
(Received via mailing list)
On 21/10/2008, at 9:05 PM, Thomas wrote:

> So I tried with my real IP server, and it works. But when I add my IP
> failover, it doesn't.
>
> How do I configure the IP on the host? Why would the host need to be
> aware of its IP? Moreover, Nginx is running in a virtual machine, the
> only IPs it is aware of are 127.0.0.1 and 10.0.0.1

Um, those IP's aren't routable on the general internet, how are hosts
going to contact that machine ?

> And why do I need to configure any IP, as Nginx works with the real IP
> of my server, why is it not working with the IP failover? By the way
> the IP failover is correctly pointing to my server.

If you want nginx to listen() on any IP address that is currently
configured for your server (/sbin/ifconfig) then you can say

listen 443;

However, because you need to bind a particular IP to a particular ssl
certificate, then you need to specify the IP you want each server
block assigned too in the config. Also, each of thoses IP's have to be
valid at server startup time so that nginx can issue a successful
bind() call for each.

Can you give us some more background about your setup, and what you
are trying to do?

Cheers

Dave
E6b3e2d0ff42df5214e02af22c364792?d=identicon&s=25 ryo sato (Guest)
on 2008-10-21 12:59
(Received via mailing list)
> How do I configure the IP on the host?

Please excute next command.

/sbin/ifconfig eth0:0 "IP2"


 > Why would the host need to be
 > aware of its IP?

Because we can't bind non-local IP on processes.

To allow processes to bind to the non-local address,
add the following line to /etc/sysctl.conf:

net.ipv4.ip_nonlocal_bind=1

   and

sysctl -p
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-21 15:45
(Received via mailing list)
Now my config file looks like this:

server {
listen 80;
server_name www.site1.com;
}

server {
listen 80;
server_name www.site2.com;
}

server {
listen IP1:443;
server_name www.site1.com;
}

server {
listen IP2:443;
server_name www.site2.com
}

And Nginx is running and there is no longer any error message. I am
not sure what made it work, but I also tweaked at my domain name
registrar the IP address of the domain name site2.com it now points to
IP2 (it used to point to IP1).

Now if I visit http://www.site1.com or site2.com, it works.

But if I visit https://www.site1.com or site2.com, Firefox tells me
that he can't make the connection, and nothing gets printed in any log
file.

If I type https://IP1 or https://IP2, it doen't work either.

I have also tested the following config:
--
server {
listen IP1:80;
}

And entering http://www.site1.com or http://IP1 doesn't work anymore!
What's happening, is the "listen IP:Port" correctly working with Nginx
0.6.32? I am starting to wonder.
Fda08117336cfde6562315df04b976e8?d=identicon&s=25 Dave Cheney (Guest)
on 2008-10-21 15:56
(Received via mailing list)
As your site will be on the internet, why not tell us the IPs and the
hostnames so that we can assist in debugging.

Cheers

Dave
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-21 16:46
(Received via mailing list)
My website is: http://www.digiprof.fr, if you click the "connexion"
button at the top right corner, you will be redirected to a
registration page which uses SSL.

I have a mail server administration application reachable at
http://www.digiprof.eu, you will get redirected to https and you
should see the certificate warning with www.digiprof.fr

I tried to setup Nginx in the same manner as this page:
http://wiki.apache.org/httpd/NameBasedSSLVHosts

But when I specify an IP address in listen, it doesn't work.
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2008-10-21 17:04
(Received via mailing list)
On Tue, Oct 21, 2008 at 04:39:04PM +0200, Thomas wrote:

>
> But when I specify an IP address in listen, it doesn't work.

You should use

     server {
         listen  www.digiprof.fr:443;

         ssl on;
         ssl_certificate       /path/to/www.digiprof.fr.cert;
         ssl_certificate_key   /path/to/www.digiprof.fr.key;

         ...
     }

     server {
         listen  www.digiprof.eu:443;

         ssl on;
         ssl_certificate       /path/to/www.digiprof.eu.cert;
         ssl_certificate_key   /path/to/www.digiprof.eu.key;

         ...
     }
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-21 17:17
(Received via mailing list)
I have changed my config files, http works, but now https doesn't work
anymore, firefox can't make the connection. However in my access.log I
see some references to https://www.digiprof.fr/login, but when I
access it myself, I don't see it get printed in the log file.
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2008-10-21 17:28
(Received via mailing list)
On Tue, Oct 21, 2008 at 05:09:55PM +0200, Thomas wrote:

> I have changed my config files, http works, but now https doesn't work
> anymore, firefox can't make the connection. However in my access.log I
> see some references to https://www.digiprof.fr/login, but when I
> access it myself, I don't see it get printed in the log file.

What does "nginx -t" show ?
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-21 17:37
(Received via mailing list)
Here is the output:
--
2008/10/21 17:31:53 [info] 12626#0: the configuration file
/usr/local/nginx/conf/nginx.conf syntax is ok
2008/10/21 17:31:53 [info] 12626#0: the configuration file
/usr/local/nginx/conf/nginx.conf was tested successfully
--

Everything looks fine.

However it could the problem of IP not being configured on the host. I
did it once, and it block my connection to the server. Hopefully, I
could ssh into the VM hypervisor and then open a console and get
access to the server to remove the IP configuration.
E6b3e2d0ff42df5214e02af22c364792?d=identicon&s=25 ryo sato (Guest)
on 2008-10-21 17:44
(Received via mailing list)
> I have changed my config files, http works, but now https doesn't work
> anymore, firefox can't make the connection.

Maybe,443 port is closing.

# openssl s_client -connect www.digiprof.eu:443
socket: Connection refused
connect:errno=29
# openssl s_client -connect www.digiprof.fr:443
socket: Connection refused
connect:errno=29

Copy and paste all of your nginx.conf.
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2008-10-21 17:47
(Received via mailing list)
On Tue, Oct 21, 2008 at 05:31:06PM +0200, Thomas wrote:

> However it could the problem of IP not being configured on the host. I
> did it once, and it block my connection to the server. Hopefully, I
> could ssh into the VM hypervisor and then open a console and get
> access to the server to remove the IP configuration.

It seems that IPs are configured right:

telnet www.digiprof.fr 80
Trying 91.121.77.156...
Connected to digiprof.fr.
Escape character is '^]'.

telnet www.digiprof.eu 80
Trying 91.121.43.156...
Connected to digiprof.eu.
Escape character is '^]'.

However, for some reason nginx does not listen on 443:

telnet www.digiprof.fr 443
Trying 91.121.77.156...
telnet: connect to address 91.121.77.156: Connection refused
telnet: Unable to connect to remote host

telnet www.digiprof.eu 443
Trying 91.121.43.156...
telnet: connect to address 91.121.43.156: Connection refused
telnet: Unable to connect to remote host

Could you show the listen directives in config ?
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-21 18:07
(Received via mailing list)
Port 443 is forwarded from my hypervisor to the Nginx VM. Everything
works fine if I remove the IP in the listen. It's a pretty basic
configuration of Nginx I guess.

nginx.conf:
---
# /usr/local/nginx/conf/nginx.conf

user  thomas;
worker_processes  1;

events {
 worker_connections  1024;
}

http {
 include             mime.types;
 default_type        application/octet-stream;

 # set sendfile to off on OsX
 sendfile            on;
 tcp_nopush          on;
 keepalive_timeout   65;

 # Hide Nginx version number header
 server_tokens       off;

 log_format main '$remote_addr [$time_local] '
                 '$http_host "$request" $status $body_bytes_sent
"$http_referer" '
                 '"$http_user_agent" "$http_x_forwarded_for"';

 log_format traffic '$http_host $body_bytes_sent';

 gzip                on;
 gzip_http_version   1.0;
 gzip_comp_level     2;
 gzip_proxied        any;
 gzip_types          text/plain text/html text/css
application/x-javascript text/xml application/xml application/xml+rss
text/javascript;

 ignore_invalid_headers  on;

 include /usr/local/nginx/conf/main.conf;
 include /usr/local/nginx/conf/webcit.conf;
} # End of http
---


main.conf:
---
upstream main {
 server 10.0.0.2:3100 weight=2;
 server 10.0.0.2:3101;
}

server {
 listen 80 default;
 server_name _;
 access_log  /usr/local/nginx/logs/phishing_attemps.log main;

 # Let's rewrite any mysite.com to www.mysite.com in a global catch-all
way.
 if ($host !~* www\.(.*)) {
   rewrite ^(.*) http://www.$host$1 permanent;
 }

 return 404;
}

server {
 listen              80;
 server_name         www.digiprof.fr;

 set $limit_rate     130k;

 # Let's set some vars to be DRY
 #set $nginx_path /usr/local/nginx/logs;
 set $rails_path /home/thomas/rails_apps;

 access_log  /usr/local/nginx/logs/traffic.log traffic;
 access_log  /usr/local/nginx/logs/access.main.log main;
 error_log /usr/local/nginx/logs/error.main.log notice;

 location / {
   root                $rails_path//public/$host;

   proxy_redirect      off;
   proxy_set_header    X-Real-IP $remote_addr;
   proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header    Host $http_host;

   if (-f $request_filename) {
     break;
   }

   if (-f $request_filename/index.html) {
     rewrite (.*) $1/index.html break;
   }

   if (-f $request_filename.html) {
     rewrite (.*) $1.html break;
   }

   if (!-f $request_filename) {
     proxy_pass http://main;
     break;
   }
 } # End of the location /

 error_page 500 502 503 504 /50x.html;
 location = /50x.html {
   root          $rails_path/public/$host;
 } # End of /50x location

} # End of server

server {
 listen              www.digiprof.fr:443;
 server_name         www.digiprof.fr;

 ssl on;
 ssl_certificate
/usr/local/nginx/conf/ssl_certificates/www.digiprof.fr.crt;
 ssl_certificate_key /usr/local/nginx/conf/ssl_certificates/server.key;
 keepalive_timeout   70; # reduce server load

 set $rails_path     /home/thomas/rails_apps;

 location / {
   # Compulsory for HTTPS
   proxy_set_header  X_FORWARDED_PROTO https;
   proxy_redirect    off;
   proxy_set_header  X-Real-IP $remote_addr;
   proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header  Host $http_host;

   root        $rails_path/public/$host;

   # Compulsory for serving relatively linked images and stylesheets
   if (!-f $request_filename) {
     proxy_pass http://main;
     break;
   }
 } # End of location /
} # End of server 443
-----


webcit.conf:
-----------
upstream webcit {
 server 10.0.0.4:2000;
}

server {
 listen        80;
 server_name   www.digiprof.eu;
 rewrite ^(.*) https://$host$1 permanent;
}

server {
 listen      www.digiprof.eu:443;
 server_name www.digiprof.eu;

 ssl on;
 ssl_certificate
/usr/local/nginx/conf/ssl_certificates/self_signed.crt;
 ssl_certificate_key /usr/local/nginx/conf/ssl_certificates/server.key;
 keepalive_timeout   70; # reduce server load

 location / {
   proxy_set_header  X_FORWARDED_PROTO https;
   proxy_redirect      off;
   proxy_set_header    X-Real-IP $remote_addr;
   proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header    Host $http_host;

   proxy_pass http://webcit;
 }
}
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-21 18:35
(Received via mailing list)
Hi Igor,

I have now reverted back to the working config. So now if you go to
https://www.digiprof.fr/login in your browser, you will see the signup
page and:

telnet www.digiprof.fr 443
openssl s_client -connect www.digiprof.fr:443
Fda08117336cfde6562315df04b976e8?d=identicon&s=25 Dave Cheney (Guest)
on 2008-10-21 23:27
(Received via mailing list)
Yup - that is most likely because inside your VM container, the real
IPs for www.digiprof.eu and www.digiprof.fr are not bound. You
mentioned before that this VM only had access to an internal nat, so
the only IP's that could be bound were 10.0.0.0/8s. Is this correct ?

If so, you will have to port forward both IPs to SEPERATE NAT'ed IPs
in the 10.0.0.0/8 range, then configure separate VIPs inside your
virtualized OS to listen on those VIPs, then use those VIPs in place
of the real IPs in your nginx config.

Are you able to do your testing on a machine with real IP's rather
than a virtualized container, as the configuration of your container,
not nginx, has been most of the meat of this discussion ?

Cheers

Dave
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-22 00:45
(Received via mailing list)
You know what Dave, running my application using a virtual machine
with each component running in its own VM has been a real pain in the
butt, it is still now, and it will certainly be in the future.

I'm only seeing drawbacks and no advantages.

I'm fed up for today and its getting late in my timezone. Tomorrow
I'll install Nginx directly in the supervisor domain as it will have
direct access to the IPs ready to be bound.

Thanks for your assistance.
6ad5db789866d1b72302287aacec01b9?d=identicon&s=25 Thomas (Guest)
on 2008-10-22 14:17
(Received via mailing list)
Yeah! I finally managed to configure Nginx to handle multiple SSL
certificates. It is exactly as Dave said, I had to forward the IPs to
my nginx VM, and it was not related to Nginx.

Thank you very much for your assistance.
This topic is locked and can not be replied to.