Why does NGINX use the certificate and key of the first host?

A

Anton Artyomov2015-02-12 09:35:12

Nginx

Anton Artyomov, 2015-02-12 09:35:12

Set up 2 NGINX configs for https connection.
Here is the domen1 config nginx ssl config
The second one is similar.

So for both domen1 and domen2, nginx uses a certificate from domen1.
If I rename the domen2 config so that it is higher than the domen1 config, then the certificate from domen2 is used for both domains.

What did I do wrong? After all, each config has its own server_name.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

Samuel_Leonardo, 2015-02-12
@ArtyomovAnton

It is necessary that nginx was built with SNI
, you can find out like this:
nginx -V
should give
TLS SNI support enabled
also openssl should be built with enable-tlsext,
or use different ip for each domain

S

Sergey Petrikov, 2015-02-12
@RicoX

Show both configs, nginx absolutely normally handles the situation with different certificates for different domains, in the general case it is configured like this:

server {
    listen              443 ssl;
server_name domain1;
        ssl                     on;
        ssl_certificate         /etc/nginx/ssl/domain1.crt;
        ssl_certificate_key     /etc/nginx/ssl/domain1.key;
}
server {
    listen              443 ssl;
        server_name domain2;
        ssl                     on;
        ssl_certificate         /etc/nginx/ssl/domain2.crt;
        ssl_certificate_key     /etc/nginx/ssl/domain2.key;
}
server {
        listen          80;
        server_name_in_redirect     off;
        server_name ~^(?:www\.)?(?P<host_wo_www>.+)$;
        return 301 https://$host_wo_www$request_uri;
}

Each domain has its own certificate on port 443 and a common redirect from port 80 to 443.

A

Anton Artyomov, 2015-02-12
@ArtyomovAnton

I have TLS SNI support disabled