Nginx not loading different certs on two hosts

Wed, 09 Dec 2020 13:35:07 -0800 

Hello,

On a Centos 7 with nginx-1.18.0 I have configured two vhosts, as follows:

First one:

server {

    listen [::]:80 ipv6only=off;

    listen    443 ssl http2 default deferred;
    listen    [::]:443 ssl http2 default deferred;

    server_name  site1.world.example.com;

    ssl_certificate     /etc/pki/tls/certs/star_world.crt;
    ssl_certificate_key /etc/pki/tls/private/star_world.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED'; 
    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout  1d;
    ssl_session_tickets off;

    ssl_dhparam /etc/pki/tls/certs/dhparam.pem;
    ...

and the second:

server {
    listen [::]:80;
    listen [::]:443 ssl;
    server_name  site2.local.world.example.com;

    ssl_certificate     /etc/pki/tls/certs/star_local_world.cer;
    ssl_certificate_key /etc/pki/tls/private/star_local_world.key;

    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED'; 
    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout  1d;
    ssl_session_tickets off;

    ssl_dhparam /etc/pki/tls/certs/dhparam.pem;
    ...
However, while the first one works correctly, the second one is clearly using the SSL certs of the first vhost (and thus it produces a Risk warning due to mismatch between name-cert) and not the ones configured in its own config (the second). 

(I confirmed that SNI support is enabled.)

What am I doing wrong? (Obviously I am a very basic nginx user.)
How shall I make the second vhost load/use its own ssl configuration correctly?
Finally, what is the best way to successfully listen (i.e. the suggested way to configure the "listen" directives) to 80 and 443 ports on both IPv4 and IPv6 on all hosts (each and every one of them)? 

Thanks in advance!

Cheers,
Nick


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to