Certificate mismatch

tjtharappel · July 30, 2024, 5:03am

Hi,

I have two applications running on Nginx, both using their own SSL certificates with HTTPS on different ports. The IP address and server are the same for both. Occasionally, I encounter a certificate mismatch error (cross reference these certificates, most of the times work correctly the problem hapeneds at the firsttime visit ). I obtained the certificates using Certbot and confirmed that both are listed in the Nginx configuration. How can I resolve this issue?

webprofusion · July 30, 2024, 8:20am

The standard https port is 443 and the conventional way to share that port is using SNI (Service name indication) where each hostname/domain maps to a different SSL configuration. Is there a special reason you are not using the standard https 443 port or were you just not aware of SNI?

http://nginx.org/en/docs/http/configuring_https_servers.html

tjtharappel · July 30, 2024, 8:39am

I have several web applications running on the same IP address but on different ports. The primary application is running on port 443, while the others are on different ports. I’m sorry, but I’m not familiar with Server Name Indication (SNI) as I’m new to this area.

webprofusion · July 30, 2024, 8:48am

That's ok. If you use different ports you need to manage more firewall ports and can also get a little more complication for CORS etc, you also have to educate your users to specify ports if they are ever typing your app url manually (which they're not usually accustomed to).

When you see a certificate mismatch this usually means you are asking for one name but on the port/ip for something else, this can be avoided by simply using server name indication to differentiate things with different host names/subdomains [they can then share the same https port 443].

The convention for multiple app servers running on the same web server is to use either:

endpoints proxied back each application (e.g. /app, /api etc). This means you only need one domain and one cert.
or subdomains (app.yourdomain.com, api.yourdomain.com), each pointing to their own app. Each subdomain may then have it's own certificate but they are still just https:// (which defaults to port 443).

Many web servers can also directly run the web applications themselves, so you don't need to proxy back to other services, it just depends what you are building.

tjtharappel · July 30, 2024, 9:03am

I have subdomains for each of the applications but was not aware that they could share the same port numbers. I will look into this further. Could you recommend some resources where I can learn more about this topic? Thank you for your support.

webprofusion · July 30, 2024, 9:17am

Sorry I'm not an nginx admin but I would start by creating two test sites on one nginx server and giving them different subdomains (or endpoints) and trying out that configuration away from the complication of the rest of your app.

You should also look at other web servers like Caddy in case you find them easier to administer. Often learning to do the same thing in two or three different tools is a good way to get a more general understanding, so you can see the common ground between different tools.

tjtharappel · July 30, 2024, 11:03am

Thank you for your suggestion! @webprofusion, I will definitely look into Caddy.

Thanks again for your help!

Topic		Replies	Views
Wrong redirection Help	4	529	May 19, 2023
Certificate on port 9000 (for websockets) Help	5	1398	April 13, 2022
Can two servers have the same domain name with same/different certificates? Help	8	8721	August 5, 2019
[Solved] Certificate mismatch Help	6	2159	April 7, 2018
Alternative names issue Help	4	3622	March 8, 2018

Certificate mismatch

Related topics