Welcome! Log In Create A New Profile

Advanced

Nginx not loading different certs on two hosts

Previous Message Next Message
Forum List Message List New Topic Print View
Nikolaos Milas
December 09, 2020 04:36PM
Hello,

On a Centos 7 with nginx-1.18.0 I have configured two vhosts, as follows:

First one:

server {

    listen [::]:80 ipv6only=off;

    listen    443 ssl http2 default deferred;
    listen    [::]:443 ssl http2 default deferred;

    server_name  site1.world.example.com;

    ssl_certificate     /etc/pki/tls/certs/star_world.crt;
    ssl_certificate_key /etc/pki/tls/private/star_world.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers
'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED';
    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout  1d;
    ssl_session_tickets off;

    ssl_dhparam /etc/pki/tls/certs/dhparam.pem;
    ...

and the second:

server {
    listen [::]:80;
    listen [::]:443 ssl;
    server_name  site2.local.world.example.com;

    ssl_certificate     /etc/pki/tls/certs/star_local_world.cer;
    ssl_certificate_key /etc/pki/tls/private/star_local_world.key;

    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers
'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED';
    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout  1d;
    ssl_session_tickets off;

    ssl_dhparam /etc/pki/tls/certs/dhparam.pem;
    ...

However, while the first one works correctly, the second one is clearly
using the SSL certs of the first vhost (and thus it produces a Risk
warning due to mismatch between name-cert) and not the ones configured
in its own config (the second).

(I confirmed that SNI support is enabled.)

What am I doing wrong? (Obviously I am a very basic nginx user.)

How shall I make the second vhost load/use its own ssl configuration
correctly?

Finally, what is the best way to successfully listen (i.e. the suggested
way to configure the "listen" directives) to 80 and 443 ports on both
IPv4 and IPv6 on all hosts (each and every one of them)?

Thanks in advance!

Cheers,
Nick


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Nginx not loading different certs on two hosts

Nikolaos Milas December 09, 2020 04:36PM

Re: Nginx not loading different certs on two hosts

Maxim Dounin December 10, 2020 09:44AM

Re: Nginx not loading different certs on two hosts

Nikolaos Milas December 11, 2020 06:46AM

Re: Nginx not loading different certs on two hosts

Maxim Dounin December 11, 2020 07:56PM

Re: Nginx not loading different certs on two hosts

Nikolaos Milas December 15, 2020 12:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 176
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready