Multiple SSL certificates

T
Thomas
  • 21 Oct '08
Hi,

I can't manage to define multiple SSL certificates for each of my
server {} directive.

Only 1 SSL certificate is being sent by Nginx, thus creating warnings
in my browser when I want to access a different domain name which uses
a different certificate. Is that possible to do? In each server {}
block I have defined the exact server_name so Nginx should know where
to go.
D
Dave
  • 21 Oct '08
SSL is negotiated at the connection level, before the http headers are  
transmitted.

You will need to setup a separate IP for each SSL certificate you wish  
to host.

Cheers

Dave

On 21/10/2008, at 7:33 PM, Thomas wrote:

> Hi,
>
> I can't manage to define multiple SSL certificates for each of my
> server {} directive.
>
> Only 1 SSL certificate is being sent by Nginx, thus creating warnings
> in my browser when I want to access a different domain name which uses
> a different certificate. Is that possible to do? In each server {}
> block I have defined the exact server_name so Nginx should know where
> to go.
T
Thomas
  • 21 Oct '08
Should I actually concatenate my 2 certificates into one file? Would
that thing work?

I cannot have separate IP for each certificate, as I will be hosting
many different websites that each use different certificates. I could
use a wildcard certificate and do a redirection such as
site1.mainsite.com, but I find it's an ugly solution.
T
Thomas
  • 21 Oct '08
After some research it seems that as Dave said, the only solution is
to set a different IP address for each certificate (what a pain).

So I did that:

server {
listen IP1:443;
...
}

server {
listen IP2:443;
...
}

But Nginx fails to start, and testing the configuration file returns a
failure but no error message.
D
Dave
  • 21 Oct '08
On 21/10/2008, at 8:04 PM, Thomas wrote:

> Should I actually concatenate my 2 certificates into one file? Would
> that thing work?

Nope, and even if it did you would need some way of indicating which  
certificate goes with which host, and your back to square one.

> I cannot have separate IP for each certificate, as I will be hosting
> many different websites that each use different certificates. I could
> use a wildcard certificate and do a redirection such as
> site1.mainsite.com, but I find it's an ugly solution.

If you have

mysite.com

and

myothersite.net

this won't work

If you want to have

site1.mysite.com

and

site2.mysite.com

then a wildcard will help.

Cheers

Dave
D
Dave
  • 21 Oct '08
> server {
> listen IP2:443;
> ...
> }
>
> But Nginx fails to start, and testing the configuration file returns a
> failure but no error message.

Hmmm, that sounds weird. Set your error log to debug and HUP nginx  
again while tailing the file. If you can kill -TERM nginx, make sure  
its stopped and try starting it again. If it can't start, because of  
some config error, I believe it will print it to stderr.

Cheers

Dave
T
Thomas
  • 21 Oct '08
I will use the IP based solution. However I am having problems, when I
specify: "listen myIP:443", Nginx configuration file tester fails. Why
is that happening?
I
Igor
  • 21 Oct '08
On Tue, Oct 21, 2008 at 11:23:15AM +0200, Thomas wrote:

> After some research it seems that as Dave said, the only solution is
> to set a different IP address for each certificate (what a pain).
> 
> So I did that:
> 
> server {
> listen IP1:443;
> ...
> }
> 
> server {
> listen IP2:443;
> ...
> }
> 
> But Nginx fails to start, and testing the configuration file returns a
> failure but no error message.

Do you mean that "nginx -t" shows something like this:

the configuration file ... syntax is ok
the configuration file ... test failed

?

Could look inside main error_log for messages ?

-- 
Igor Sysoev
http://sysoev.ru/en/
D
Dave
  • 21 Oct '08
Is that IP bound to your server.

I just added this stanza to my config

server {
    listen 100.100.100.100;
}

and got

[root at b02s04mr ~]# nginx -t
2008/10/21 05:50:10 [info] 28274#0: the configuration file /etc/nginx/ 
nginx.conf syntax is ok
2008/10/21 05:50:10 [emerg] 28274#0: the configuration file /etc/nginx/ 
nginx.conf test failed

Cheers

Dave

On 21/10/2008, at 8:41 PM, Thomas wrote:

> I will use the IP based solution. However I am having problems, when I
> specify: "listen myIP:443", Nginx configuration file tester fails. Why
> is that happening?
I
Igor
  • 21 Oct '08
On Tue, Oct 21, 2008 at 08:50:44PM +1100, Dave Cheney wrote:

> Is that IP bound to your server.
> 
> I just added this stanza to my config
> 
> server {
>   listen 100.100.100.100;
> }
> 
> and got
> 
> [root at b02s04mr ~]# nginx -t
> 2008/10/21 05:50:10 [info] 28274#0: the configuration file /etc/nginx/ 
> nginx.conf syntax is ok
> 2008/10/21 05:50:10 [emerg] 28274#0: the configuration file /etc/nginx/ 
> nginx.conf test failed

Yes, there is bug/feature when nginx shows this error message in
error_log onlya, but not to stderr.

> On 21/10/2008, at 8:41 PM, Thomas wrote:
> 
> >I will use the IP based solution. However I am having problems, when I
> >specify: "listen myIP:443", Nginx configuration file tester fails. Why
> >is that happening?

-- 
Igor Sysoev
http://sysoev.ru/en/
T
Thomas
  • 21 Oct '08
Here is the error message:
--
2008/10/21 11:52:46 [emerg] 22020#0: bind() to IP:443 failed (99:
Cannot assign requested address)
--

What does it mean?
I
Igor
  • 21 Oct '08
On Tue, Oct 21, 2008 at 11:52:18AM +0200, Thomas wrote:

> Here is the error message:
> --
> 2008/10/21 11:52:46 [emerg] 22020#0: bind() to IP:443 failed (99:
> Cannot assign requested address)
> --
> 
> What does it mean?

This means that you have not configured this IP on the host.

-- 
Igor Sysoev
http://sysoev.ru/en/
T
Thomas
  • 21 Oct '08
So I tried with my real IP server, and it works. But when I add my IP
failover, it doesn't.

How do I configure the IP on the host? Why would the host need to be
aware of its IP? Moreover, Nginx is running in a virtual machine, the
only IPs it is aware of are 127.0.0.1 and 10.0.0.1

And why do I need to configure any IP, as Nginx works with the real IP
of my server, why is it not working with the IP failover? By the way
the IP failover is correctly pointing to my server.
D
Dave
  • 21 Oct '08
On 21/10/2008, at 9:05 PM, Thomas wrote:

> So I tried with my real IP server, and it works. But when I add my IP
> failover, it doesn't.
>
> How do I configure the IP on the host? Why would the host need to be
> aware of its IP? Moreover, Nginx is running in a virtual machine, the
> only IPs it is aware of are 127.0.0.1 and 10.0.0.1

Um, those IP's aren't routable on the general internet, how are hosts  
going to contact that machine ?

> And why do I need to configure any IP, as Nginx works with the real IP
> of my server, why is it not working with the IP failover? By the way
> the IP failover is correctly pointing to my server.

If you want nginx to listen() on any IP address that is currently  
configured for your server (/sbin/ifconfig) then you can say

listen 443;

However, because you need to bind a particular IP to a particular ssl  
certificate, then you need to specify the IP you want each server  
block assigned too in the config. Also, each of thoses IP's have to be  
valid at server startup time so that nginx can issue a successful  
bind() call for each.

Can you give us some more background about your setup, and what you  
are trying to do?

Cheers

Dave
R
ryo
  • 21 Oct '08
> How do I configure the IP on the host?

Please excute next command.

/sbin/ifconfig eth0:0 "IP2"

 > Why would the host need to be
 > aware of its IP?

Because we can't bind non-local IP on processes.

To allow processes to bind to the non-local address,
add the following line to /etc/sysctl.conf:

net.ipv4.ip_nonlocal_bind=1

   and

sysctl -p

> So I tried with my real IP server, and it works. But when I add my IP
> failover, it doesn't.
> 
> How do I configure the IP on the host? Why would the host need to be
> aware of its IP? Moreover, Nginx is running in a virtual machine, the
> only IPs it is aware of are 127.0.0.1 and 10.0.0.1
> 
> And why do I need to configure any IP, as Nginx works with the real IP
> of my server, why is it not working with the IP failover? By the way
> the IP failover is correctly pointing to my server.
> 
> 
> 

-- 
Ryo Sato
T
Thomas
  • 21 Oct '08
Now my config file looks like this:

server {
listen 80;
server_name www.site1.com;
}

server {
listen 80;
server_name www.site2.com;
}

server {
listen IP1:443;
server_name www.site1.com;
}

server {
listen IP2:443;
server_name www.site2.com
}

And Nginx is running and there is no longer any error message. I am
not sure what made it work, but I also tweaked at my domain name
registrar the IP address of the domain name site2.com it now points to
IP2 (it used to point to IP1).

Now if I visit http://www.site1.com or site2.com, it works.

But if I visit https://www.site1.com or site2.com, Firefox tells me
that he can't make the connection, and nothing gets printed in any log
file.

If I type https://IP1 or https://IP2, it doen't work either.

I have also tested the following config:
--
server {
listen IP1:80;
}

And entering http://www.site1.com or http://IP1 doesn't work anymore!
What's happening, is the "listen IP:Port" correctly working with Nginx
0.6.32? I am starting to wonder.
D
Dave
  • 21 Oct '08
As your site will be on the internet, why not tell us the IPs and the  
hostnames so that we can assist in debugging.

Cheers

Dave

On 22/10/2008, at 12:37 AM, Thomas wrote:

> Now my config file looks like this:
>
> server {
> listen 80;
> server_name www.site1.com;
> }
T
Thomas
  • 21 Oct '08
My website is: http://www.digiprof.fr, if you click the "connexion"
button at the top right corner, you will be redirected to a
registration page which uses SSL.

I have a mail server administration application reachable at
http://www.digiprof.eu, you will get redirected to https and you
should see the certificate warning with www.digiprof.fr

I tried to setup Nginx in the same manner as this page:
http://wiki.apache.org/httpd/NameBasedSSLVHosts

But when I specify an IP address in listen, it doesn't work.
I
Igor
  • 21 Oct '08
On Tue, Oct 21, 2008 at 04:39:04PM +0200, Thomas wrote:

> My website is: http://www.digiprof.fr, if you click the "connexion"
> button at the top right corner, you will be redirected to a
> registration page which uses SSL.
> 
> I have a mail server administration application reachable at
> http://www.digiprof.eu, you will get redirected to https and you
> should see the certificate warning with www.digiprof.fr
> 
> I tried to setup Nginx in the same manner as this page:
> http://wiki.apache.org/httpd/NameBasedSSLVHosts
> 
> But when I specify an IP address in listen, it doesn't work.

You should use

     server {
         listen  www.digiprof.fr:443;

         ssl on;
         ssl_certificate       /path/to/www.digiprof.fr.cert;
         ssl_certificate_key   /path/to/www.digiprof.fr.key;

         ...
     }

     server {
         listen  www.digiprof.eu:443;

         ssl on;
         ssl_certificate       /path/to/www.digiprof.eu.cert;
         ssl_certificate_key   /path/to/www.digiprof.eu.key;

         ...
     }

-- 
Igor Sysoev
http://sysoev.ru/en/
T
Thomas
  • 21 Oct '08
I have changed my config files, http works, but now https doesn't work
anymore, firefox can't make the connection. However in my access.log I
see some references to https://www.digiprof.fr/login, but when I
access it myself, I don't see it get printed in the log file.
Reply