Welcome! Log In Create A New Profile

Advanced

Re: SSL_ERROR_BAD_CERT_DOMAIN with multiple domains

Previous Message Next Message
Forum List Message List New Topic Print View
Francis Daly
July 10, 2019 06:26PM
On Sat, Jul 06, 2019 at 07:59:10AM -0400, BeyondEvil wrote:

Hi there,

> Server A (macmini) has an nginx server under my direct control.
> Server B (the synology NAS) has an nginx server NOT under my direct
> control.

....and you have exactly 1 public IP address, and you would like to be
able to access the content on both of them.

If you are happy to test things, I have two suggestions which might work
for you.

The first is a "proxy_pass" where your users will never talk directly
to server B, and will never use the server B domain name.

Depending on what server B requires, this may not work.

But if it does -- you get a new hostname, "nas.domainA", for example,
and get a certificate for it.

Then do the normal nginx two-ssl-servers thing with SNI, and the one with
"server_name nas.domainA" does "proxy_pass https://server-B".


The second involves using "stream" instead of "http" on the public-facing
ip:port.

In that case, you use stream with ssl preread, documented at
http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

If the SNI name relates to the NAS, you proxy_pass to that IP:port;
else you proxy_pass to the IP:port that your nginx https listener is on
(possibly 127.0.0.1:443, if you have the stream listener on the same
machine).

> And herein lies the problem as it seems, from what I can gather HTTPS is
> terminated and checked/validated in Server A and fails for requests to
> Server B domain, since the certificates in Server A are not the correct ones
> for Server B domain - only for Server A domain.

In the first new case above, https is terminated on "your" nginx server,
either with the www.domainA cert or the nas.domainA cert, so the client
is happy.

In the second new case above, https is terminated either on your server
with the www.domainA cert, or on the other server with the domainB cert;
so the client is still happy.

Maybe one of those will suit you.

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

SSL_ERROR_BAD_CERT_DOMAIN with multiple domains

BeyondEvil June 22, 2019 04:01PM

Re: SSL_ERROR_BAD_CERT_DOMAIN with multiple domains

Francis Daly June 26, 2019 04:28AM

Re: SSL_ERROR_BAD_CERT_DOMAIN with multiple domains

BeyondEvil July 06, 2019 07:59AM

Re: SSL_ERROR_BAD_CERT_DOMAIN with multiple domains

Francis Daly July 10, 2019 06:26PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 305
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready