Welcome! Log In Create A New Profile

Advanced

Fallback default server sharing cert information about other domains than for the URL you visit ?

Anonymous User
August 09, 2019 11:56AM
Hi,

My own domain, let's say 'example.com', is registered in the HSTS preload database (https://hstspreload.org).

I setup my domain as virtual host in Nginx,

/etc/nginx/sites-enabled/example.conf

server {
listen 172.17.0.1:80;
server_name example.com www.example.com;
location / {
return 301 https://example.com$request_uri;
}
}

server {
listen 172.17.0.1:443 ssl http2;
server_name example.com www.example.com;

ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
ssl_certificate "/etc/ssl/chain.crt.pem";
ssl_certificate_key "/etc/ssl/privkey.pem";

add_header Strict-Transport-Security "max-age=315360000; includeSubDomains; preload";

location / {...}
}

The cert is good for example.com + www.example.com.

When I go to

https://example.com

it works like you would expect.


I also set up a fallback, default server in my main nginx config

/etc/nginx/nginx.conf

...
server {
listen 80 default_server;
listen [::]:80 ipv6only=on default_server;
server_name _;
return 301 https://$host;
}

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 ipv6only=on default_server;
server_name _;

ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
ssl_certificate "/etc/ssl/null.crt.pem";
ssl_certificate_key "/etc/ssl/nullkey.pem";

return 444;
}
include sites-enabled/*.conf;

If I go to a subdomain of my domain that has a DNS A-record pointing to the same IP, but no Nginx virtual hosted site,

https://subdomain.example.com

in the browser I get this message

Did Not Connect: Potential Security Issue
Firefox detected a potential security threat and did not continue to subdomain.example.com because this website requires a secure connection.
What can you do about it?
subdomain.example.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.
Learn more…

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for subdomain.example.com. The certificate is only valid for the following names: example.com, www.example.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN
View Certificate

I expect it to fail with a 444, and only have info about the failed subdomain.

Why does it respond with cert info about the "example.com, www.example.com
" certs at all? Those are only for the full-domain site.

What do I need to set up to just get a fallback 444 response and NO information about any other domain's certs etc, when I visit the un-hosted subdomain.example.com?

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Fallback default server sharing cert information about other domains than for the URL you visit ?

Anonymous User August 09, 2019 11:56AM

RE: Fallback default server sharing cert information about other domains than for the URL you visit ?

Reinis Rozitis August 09, 2019 01:08PM

Re: Fallback default server sharing cert information about other domains than for the URL you visit ?

Anonymous User August 09, 2019 01:28PM

RE: Fallback default server sharing cert information about other domains than for the URL you visit ?

Reinis Rozitis August 09, 2019 02:16PM

RE: Fallback default server sharing cert information about other domains than for the URL you visit ?

Reinis Rozitis August 09, 2019 02:18PM

Re: Fallback default server sharing cert information about other domains than for the URL you visit ?

Anonymous User August 09, 2019 02:26PM

RE: Fallback default server sharing cert information about other domains than for the URL you visit ?

Reinis Rozitis August 09, 2019 02:44PM

Re: Fallback default server sharing cert information about other domains than for the URL you visit ?

Anonymous User August 09, 2019 02:50PM

RE: Fallback default server sharing cert information about other domains than for the URL you visit ?

Reinis Rozitis August 09, 2019 03:22PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 76
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready