On Wed, Jan 03, 2018 at 02:23:32PM -0500, Kurogane wrote:

Hi there,

> >Are you sure that a tool you're using to check supports SNI?
>
> What tool you're talking about? this error show in browser.

In this case, the tool is "the browser". Which browser, which version?

The aim here is to allow someone who is not you to see the problem that
you are seeing.

Often, it is useful to use a low-level tool which hides nothing. So,
for example, you might be able to test with

openssl s_client -servername domain.com -connect 127.0.0.1:443

to see what certificate is returned; then repeat the test with
"domain2.com" and "www.domain2.com".

(You could also probably use something like

curl -k -v --resolve domain.com:443:127.0.0.1 https://domain.com

to see the same information, along with the http request and response.)

> >Do you have four separate ssl certificate files, each of which is valid
> >for a single server name?
>
> >Or do you have one ssl certificate file which is valid for multiple
> server names?
>
> I'm not sure why you mean but i have two cert files. Each cert have a valid
> common name to use non www and www

What does that mean, specifically?

If you do something like

openssl x509 -noout -text < your-domain.com-cert

do you see

Subject: CN=www.domain.com

and

X509v3 Subject Alternative Name: DNS:domain.com

or do you see something else? Same question, for your-domain2.com-cert.



In your nginx config, what "ssl_certificate" lines do you have?

You did not show any inside the server{} blocks; perhaps you have them
inside the http{} block?

The aim here is to allow someone to create an nginx instance which
resembles yours, and which shows the problem, or which does not show
the problem.

The problem that you report should not be happening.

If someone else can re-create it, perhaps there is a bug in nginx (that
has not been reported previously) that can be fixed. If no-one else can
re-create it, perhaps there is something unusual about your configuration
and set-up.

Only you know what your configuration is.

If you provide enough information to allow someone else get a similar
configuration, then maybe they will be able to see the cause of the
problem.

Can you show a complete, but minimum, configuration that still shows
the problem?

> server {
> listen 443 ssl http2;
> listen [::3]:443 ssl http2;
> server_name domain2.com;
> return 301 https://www.$server_name$request_uri;
> }
>
> This is the full config of this block.

Which ssl_certificate file do you want nginx to use when a request for
this server_name comes in?

How does nginx know that you want nginx to use that ssl_certificate?

> Same problem with or without IPv6.

Ok, that's good to know.

Your example config can now remove all of the IPv6 lines.

Perhaps it can also remove the "http2" parts, to make it even easier
for someone else to build a similar configuration.

> I just notice when i disable IPv6 and only access via IPv4 do something
> wierd.
>
> When i visit https://domain2.com i got the same error (domain.com
> certificate) and chrome or whatever browser say me if i want to continue and
> when i click to continue redirect me to www.domain2.com (is what i want to
> do and work with domain.com and domain2.com with IPv6). I'm not sure why
> first check domain.com and then use domain2.com server block.

That sounds to me like it is exactly the same as what happened when IPv6
was enabled.

Is it different?

If so, that is interesting information. Maybe there is some IPv4/IPv6
interaction involved.

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx