Cert handling on redirect of https subdomains

Server NGINX
1

Hi Nginx Group,

Just wanted to start off by saying nginx is a rad web server! Na
zdrowie!

So we’ve noticed some issues with setting up https ssl certificates over
multiple subdomains.

The base domain (example.com) and the first subdomain (www.example.com)
work beautifully:

server {
listen www.example.com:443 default;
server_name www.example.com;

ssl on;
ssl_certificate /opt/local/nginx/certs/www.example.com.crt;
ssl_certificate_key /opt/local/nginx/certs/www.example.com.key;

location / {
  # ...
}

}

server {

listen www.example.com:80 default;

server_name www.example.com;
location / {

  # ...

}

}

server {
listen example.com:443;
server_name example.com;

ssl on;
ssl_certificate /opt/local/nginx/certs/example.com.crt;
ssl_certificate_key /opt/local/nginx/certs/example.com.key;

rewrite ^/(.*) https://www.example.com/$1 permanent;

}

server {
server_name example.com;
rewrite ^/(.*) http://www.example.com/$1 permanent;
}

NOW, If the following is added, the correct SSL cert for api.example.com
is not loaded before the redirect, the www.example.com cert is loaded
instead:

server {
listen 127.0.0.1:443;
server_name api.example.com api;

ssl on;
ssl_certificate /opt/local/nginx/certs/api.example.com.crt;
ssl_certificate_key /opt/local/nginx/certs/api.example.com.key;

rewrite ^/(.*) https://www.example.com/$1 permanent;

}

server {
listen 127.0.0.1:80;
server_name api.example.com api;
rewrite ^/(.*) http://www.example.com/$1 permanent;
}

Any ideas on how, to setup multiple SSL / HTTPS subdomains, each with
their own cert in nginx?

I’ve tried many conf variants. At this point, I’m suspecting it is a
bug in nginx, but how would that be possible. =)

Thanks,
Martian

2

On Tue, Sep 09, 2008 at 05:51:04AM +0000, Martian Alien wrote:

server_name www.example.com;

server {
}
rewrite ^/(.) https://www.example.com/$1 permanent;
listen 127.0.0.1:443;
listen 127.0.0.1:80;
server_name api.example.com api;
rewrite ^/(.) http://www.example.com/$1 permanent;
}

Any ideas on how, to setup multiple SSL / HTTPS subdomains, each with their own cert in nginx?

I’ve tried many conf variants. At this point, I’m suspecting it is a bug in nginx, but how would that be possible. =)

127.0.0.1 is loopback interface, do you connect to it from outside ?

3

Note that the base domain (example.com) redirects fine to WWW
(www.example.com). Then adding a 2nd subdomain, API (api.example.com),
returns the WWW certificate rather than the API one and flags a trust
concern in most browsers. Tried a listen field with both
api.example.com:443 and the local interface 127.0.0.1:443, all fail in
the same way. Redirect works fine except it returns the incorrect SSL
certiicate.

server {
listen api.example.com:443;
server_name api.example.com api;

ssl on;
ssl_certificate /opt/local/nginx/certs/api.example.com.crt;
ssl_certificate_key /opt/local/nginx/certs/api.example.com.key;

rewrite ^/(.*) https://www.example.com/$1 permanent;

}

server {
listen api.example.com:80;
server_name api.example.com api;
rewrite ^/(.*) http://www.example.com/$1 permanent;
}

Thanks again for looking into this concern,
Martian

4

On Wed, Sep 10, 2008 at 03:59:31AM +0000, Martian Alien wrote:

rewrite ^/(.*) https://www.example.com/$1 permanent;

}

server {
listen api.example.com:80;
server_name api.example.com api;
rewrite ^/(.*) http://www.example.com/$1 permanent;
}

Thanks again for looking into this concern,

Is api.example.com the same IP address as www.example.com ?

5

Is api.example.com the same IP address as www.example.com ?

Yes, we are attempting to setup three virtual domains on the same
machine, each with different SSL certificates. The primary domain
(www.example.com:443 default) works fine, as does the base domain
(example.com:443). But adding more virtual subdomains will return the
wrong SSL cert.

Martian

6

On Thu, Sep 11, 2008 at 07:56:56AM +0000, Martian Alien wrote:

Is api.example.com the same IP address as www.example.com ?

Yes, we are attempting to setup three virtual domains on the same machine, each with different SSL certificates. The primary domain (www.example.com:443 default) works fine, as does the base domain (example.com:443). But adding more virtual subdomains will return the wrong SSL cert.

You need at least three different IP addresses on the host:

http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47

Otherwise you need wildcard certificate or certificate with alternative
names.

7

I have also noticed some unusual behaviour with ssl server configs. I
found that some items put in http were better to be put again in the
server section. In particular, I found that if fastcgi_params was
“included” in http (and worked fine with non-ssl sections) then inside
an ssl server it would cross post values from one domain to another. I
fixed it by including the fastcgi_params again inside the ssl server. I
have no idea why that worked or why it wouldn’t behave as expected in
the first place but you may try something similar to see if it helps.
Chris :slight_smile:

8

I think what you are trying to do is impossible. A ssl connection needs to
be established before the virtual host is known. To my knowledge this
limits you to only one certificate per IP.

Till far I also thought that you need a seperate IP for each domain/cert
but
as I am reading also Cherokee mailing list they have pulled of to make
SSL
virtualhosts ( Cherokee Web Server | Other Cherokee goodies | Cherokee Documentation
page
bottom ) which seems a pretty nice feature (I havent tested myself yet
though).

As to answer how it is done there ir a snip from developers mail:

There is a TLS extension named SNI (for ‘Server Name Indication’) that
does
the trick:

RFC 4680: TLS Handshake Message for Supplemental Data
RFC 4366: Transport Layer Security (TLS) Extensions

Basically, the client sends the target host during the initial handshake
so
Cherokee can pick the right virtual server certificate in advance. In
that
way the secure connection is stabilized with the right certificate
without
having to re-handshake.

Note that both the client and the server libraries must support SNI.
Cherokee can use two different SSL/TLS engines; in case you use OpenSSL
you
might need to either apply a patch or install the latest release. In
case
you choose to use GnuTLS everything will be fine (it has supported SNI
for
years now).

Maybe worth looking into it?

rr

9

I think what you are trying to do is impossible. A ssl connection needs
to be established before the virtual host is known. To my knowledge this
limits you to only one certificate per IP.

10

On Thu, Sep 11, 2008 at 11:46:24AM +0300, Reinis R. wrote:

way the secure connection is stabilized with the right certificate without
Maybe worth looking into it?
'Re: implementing SNI SSL ?' - MARC
'Re: Multiple ssl certs for the same IP?' - MARC

11

'Re: implementing SNI SSL ?' - MARC
'Re: Multiple ssl certs for the same IP?' - MARC

Nice seems allready covered :slight_smile:
Just have to wait for IE6 to extinguish (replace to IE7) and then such
setups will be pretty realistic…

rr

12

On Thu, Sep 11, 2008 at 3:18 AM, Igor S. [email protected] wrote:

No, you need also to wait, when Vista will replace XP, as E7/XP does not
understand SNI. Or until MS will update security DLLs in XP. Or until MS
will release OS faster than Vista.

I do not think that Vista will replace XP soon.
Even in Russia, where people often use pirate Windows and usually
early upgrade to new versions, they refuse to upgrade to Vista:

Yeah - and I still use IE6. I won’t upgrade to IE7. I hate it. If I’m
going to use IE, I’m still sticking with IE6 (not to mention it is the
only ‘supported’ browser by my day job’s IT department too)

13

On Thu, Sep 11, 2008 at 12:47:03PM +0300, Reinis R. wrote:

'Re: implementing SNI SSL ?' - MARC
'Re: Multiple ssl certs for the same IP?' - MARC

Nice seems allready covered :slight_smile:
Just have to wait for IE6 to extinguish (replace to IE7) and then such
setups will be pretty realistic…

No, you need also to wait, when Vista will replace XP, as E7/XP does not
understand SNI. Or until MS will update security DLLs in XP. Or until MS
will release OS faster than Vista.

I do not think that Vista will replace XP soon.
Even in Russia, where people often use pirate Windows and usually
early upgrade to new versions, they refuse to upgrade to Vista:

http://www.liveinternet.ru/stat/ru/oses.html?period=month
http://www.liveinternet.ru/stat/ru/browsers.html?period=month

14

IE7 is quite popular. On mentioned graphs IE7 takes 27% vs 31% of IE6,
but Vista is very unpopular: since begining of 2007 year it takes only 10%
vs 80% of XP. I know that some people bought notebooks with preinstalled
legal Vista, after some time they removed it and set up pirate XP.

Sorry for going too much offtopic now (from the initial SSL), but yeah
IE6
is still also my choice of browser…
According to our graphs (from a pretty large social network site) IE7 is
taking slowly over (prolly because of the silent updates and such) but
as
there is allready IE8 in the oven (eg Beta2 although havent tested) we
will
(maybe) see IE6 less and less… Or maybe world suddenly switches to
Chrome
:slight_smile:

As to Vista at least MS offers a valid downgrade to XP from bussines
(which
is usually installed on laptops) and premium editions…

rr

15

Interesting. The reason for the limitation makes more sense now. But
why do the first two virtual domains (example.com and www.example.com)
work?

From what I read, only one should work…

All my certs were generated at the same time, and are essentially
equivalent except they are tied to different subdomains.

Curious,
Martian

16

On Fri, Sep 12, 2008 at 12:27:09AM +0000, Martian Alien wrote:

Interesting. The reason for the limitation makes more sense now. But why do the first two virtual domains (example.com and www.example.com) work?

From what I read, only one should work…

All my certs were generated at the same time, and are essentially equivalent except they are tied to different subdomains.

Yes, the only www.example.com should work if all three sites listen on
single IP address. I do not know why https://example.com works in you
case.
The only idea crosses my mind: some time ago you might store this
exception
in your browser. Try to use some fresh browser or to look inside browser
security settings.

17

mike ha scritto:

Yeah - and I still use IE6. I won’t upgrade to IE7. I hate it. If I’m
going to use IE, I’m still sticking with IE6 (not to mention it is the
only ‘supported’ browser by my day job’s IT department too)

You sure hate web developers :).

I hope IE6 will disappear soon.

Manlio P.

18

On Thu, Sep 11, 2008 at 08:32:57AM -0700, mike wrote:

Yeah - and I still use IE6. I won’t upgrade to IE7. I hate it. If I’m
going to use IE, I’m still sticking with IE6 (not to mention it is the
only ‘supported’ browser by my day job’s IT department too)

IE7 is quite popular. On mentioned graphs IE7 takes 27% vs 31% of IE6,
but Vista is very unpopular: since begining of 2007 year it takes only
10%
vs 80% of XP. I know that some people bought notebooks with preinstalled
legal Vista, after some time they removed it and set up pirate XP.

19

On Fri, 2008-09-12 at 10:51 +0200, Manlio P. wrote:

Yeah - and I still use IE6. I won’t upgrade to IE7. I hate it. If I’m
going to use IE, I’m still sticking with IE6 (not to mention it is the
only ‘supported’ browser by my day job’s IT department too)

You sure hate web developers :).

I hope IE6 will disappear soon.

I hope IE in general will disappear some day…

20

Interesting. The reason for the limitation makes more sense now. But why
do the first two virtual domains (example.com and www.example.com) work?

Usually the signed SSL cert contains both domains (Common Name) eg the
short
example.com and the long www.example.com (at least GoDaddy always adds
both
even you dont specify that).
So basically you get a simple wilcard certificate…( to look up what
Common
Names you have ‘openssl x509 -in filename.crt -noout -text’ )

rr