1

I currently have several regular http servers and 1 https server. I would like to add another https server with the same public ip.

I have something similar to

server {
    listen          443 ssl;
    server_name     sub1.example.com;
    ssl_certificate sub1.example.com.crt;
    ...
}
server {
    listen          443 ssl;
    server_name     sub2.example.org;
    ssl_certificate sub2.example.org.crt;
    ...
}

The issue I am encountering is with IE8. I receive sub1's certificate instead of sub2's. Other browsers do not have this issue. Upon reading http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers I see that I need to do something like this

server {
    listen          192.168.1.1:443 ssl;
    server_name     sub1.example.com;
    ssl_certificate sub1.example.com.crt;
    ...
}
server {
    listen          192.168.1.2:443 ssl;
    server_name     sub2.example.org;
    ssl_certificate sub2.example.org.crt;
    ...
}

I am unsure how to actually set up or allocate the IPs. I tried just placing those IP from above into my nginx conf but it didn't work. After restarting nginx neither of my sites worked. When I try to load the website I get an error saying it couldn't connect to the server.

I have CentOS 6.5 and Nginx 1.6

David
  • 11
  • 1
  • 3
    This doesn't work on _any_ version of Internet Explorer on Windows XP. But nobody should still be running XP anyway... – Michael Hampton Feb 20 '15 at 01:53
  • David, wouldn't you mind reading http://serverfault.com/questions/tagged/sni Meanwhile I'm voting to close this q-n – poige Feb 20 '15 at 04:23

2 Answers2

2

If indeed you are running Windows XP, this will not work. Need Vista or higher.

I would also double-check that SNI is enabled, from the same link you mentioned.

nginx -V

The first configuration you posted should usually work if you use a SNI compatible browser.

Adjustable
  • 21
  • 2
  • Unfortunately, I need to support XP. IE works just fine on Windows 7 and 8. – David Feb 20 '15 at 02:08
  • That's a bummer. You will add some complexity to your setup since you need either two IPs on one host (w/ corresponding DNS entries) or two completely separate servers. If you don't have two IPs that match your domains, I wouldn't expect nginx to work correctly. – Adjustable Feb 20 '15 at 02:18
  • I don't know much about servers and IPs so sorry. Are you saying I need 2 public IPs or 1 public IP and 2 private IPs? – David Feb 20 '15 at 02:39
  • 1
    You'll need a public IP per certificate if you need to support XP (which doesn't support SNI) – Bill Weiss Feb 20 '15 at 02:55
1

If you are hosting two subdomains of the same domain, you have no problem if you get a multidomain or wildcard certificate. Otherwise the domain not listed on the certificate will give a warning that the name doesn't match. When configuring the domains, you would use the same certificate for both domains.

Some clients and servers support negotiating the domain name before presenting the certificate. This allow two different certificates to be used.

BillThor
  • 27,354
  • 3
  • 35
  • 69