Ben Lancaster
July 26, 2011 12:46PM
We recently had a problem where we created a new server configuration (for http with and without ssl on ports 443 and 80 respectively) on a shared web server which also included a number of other nginx servers similarly configured.

Unfortunately, we neglected to include the ssl_certificate and ssl_certificate_key directives for the new server. So, the configurations looked something like this:


# Pre-existing, working server definition (one of several)
server {
listen 80;
listen 443 ssl;


ssl_certificate /path/to/ssl.crt
ssl_certificate_key /path/to/key.crt

# snip #

# New server definition
server {
listen 80
listen 443 ssl;


# snip #


Now, prior to restarting the nginx process, we issued "nginx -t" to test the new configuration - everything passed. Once the nginx service was restarted, however, the old, working site failed to respond to https requests (cURL said "Unknown SSL protocol error in connection to "), even though the configuration for that particular server was unchanged.

I've since added a default SSL server to my config, which seems to fix this problem incase ssl_certificate_* lines get missed in future (there was no server with "listen 443 ssl default" prior to that).

We're running Ubuntu 10.04 LTS x86_64 with Nginx 1.0.0 stable from PPA:

$ nginx -V
nginx: nginx version: nginx/1.0.0
nginx: TLS SNI support enabled
nginx: configure arguments: --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/ --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.0.0/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.0.0/debian/modules/nginx-upstream-fair

Is this expected behaviour? Should nginx -t not have flagged that there was no default ssl_certificate(_key) directives defined? Why was the first server affected?

nginx mailing list
Subject Author Posted

Multiple server definitions with SSL

Ben Lancaster July 26, 2011 12:46PM

Re: Multiple server definitions with SSL

Maxim Dounin July 26, 2011 02:14PM

Re: Multiple server definitions with SSL

Igor Sysoev July 28, 2011 02:56AM

Re: Multiple server definitions with SSL

Maxim Dounin July 28, 2011 05:38AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 183
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready