Nginx is loading the wrong certificate. What to do?

D

Dmitry Salodki2015-02-18 14:35:43

Nginx

Dmitry Salodki, 2015-02-18 14:35:43

There are configs for each domain of this kind

....
server_name  host.[net,ru,com,by];
ssl_certificate /path/to/cert/host.[net,ru,com,by].crt;
ssl_certificate_key /path/to/cert/host.[net,ru,com,by].key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Content-Type-Options nosniff;
.....

In some browsers (IE, Firefox, etc..) accessing the .net domain loads the left certificate, usually for the .by domain. And accordingly, the browser swears at the mismatch of the domain and certificate, found similar situations, those solution methods did not help.
ps
Nginx built with SNI support

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

I

Igor, 2015-02-18
@merryjane

Check that nginx is built with SNI support. This can be done with the nginx -V command.
And also check that the browsers in which the problem is observed are also able to SNI:
nginx.org/en/docs/http/configuring_https_servers.html
If this is indeed the problem, then certificates and different virtual hosts can be placed at different ip-addresses.

D

Dzmitry Salodki, 2015-08-03
@dimedr

To improve browser support, a root certificate for the chain was added to the certificate itself.
Many have solved the problem, but this is not a panacea.