How to hide/delete No SNI Certificate in Nginx?

Arturo · May 31, 2018, 1:44pm

I have 2 domains hi.com and hello.com using one IP 234.235.236.237

If I check domain hi.com in ssllabs.com I see 1 certificate, nice.

But, if I check domain hello.com in ssllabs.com I see 2 certificate:

Certificate #1: EC 256 bits (SHA256withRSA)
SCR: https://i.stack.imgur.com/EM7tz.png

Certificate #2: EC 256 bits (SHA256withRSA)

If I add to Nginx, hi.com and hello.com not work.

server {
    listen 443 default_server ssl;
    listen [::]:443 default_server ssl;
    server_name _;
    return 444;
}

How to disable or delete Certificate #2 No SNI?

sahsanu · May 31, 2018, 2:16pm

Hi @Arturo,

If you want to use a ssl server block you need to specify a cert and a private key, you could create a self-signed certificate and use it as your default server so No SNI connections will reach this fake cert… or you can use the approach you are already using right now (with your real domain names oxxxxxx.club and kxxxxx.club) and it is use different ips for each domain.

Cheers,
sahsanu

tob · May 31, 2018, 2:23pm

I use haproxy as “SNI-Router”, to decide which connection goes to which service. Simply define no default, then a non-SNI-connection will be dropped without presenting a certificate.

Arturo · May 31, 2018, 3:58pm

Hi @sahsanu, thanks for the answer.

Oh, you see real domains =)

Arturo · May 31, 2018, 4:11pm

Now my 2 domains have Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI

It`s normal?

stevenzhu · May 31, 2018, 4:24pm

Hi,

If you want more people to help you… You would need to share us your real domain name since we can’t help if we know nothing about this server specific error.

Thank you

Arturo · May 31, 2018, 4:29pm

Hi @stevenzhu, my main Certificate #1 letsencrypt nice work.

This is fake cert.
~# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"

server {
    listen 443 default_server;
    listen [::]:443 default_server;
    server_name _;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    return 444;
}

Is it okay to use such a certificate?

tdelmas · May 31, 2018, 8:22pm

As your server returns an error 444

return 444;

It doesn't really matter if the certificate is valid or not.

The "No SNI" case it only for old Browsers who doesn't use the SNI mecanism.

If you want to block these browsers, it's fine.

If you prefer to allow them, you should present a valid certificate (and if possible the one of your most visited domain) :

if the browser wanted to visits a domain present in the certificate, it will works
if the browser wanted to visits another domain of your server, he will encounter a (probably by-passable error), as with many other websites.

According to Can I use... Support tables for HTML5, CSS3, etc 97.4% of visitors have Browsers with SNI support.

stevenzhu · May 31, 2018, 8:27pm

Normally only XP (and below), Android 4.2?( And below), iPhone (some version) has no SNI support.

So that seems to be a minor impact for me... (Since Major websites won't allow you to use with XP now...)

Thank you

rg305 · June 1, 2018, 12:08am

If you have multiple IPs, then one IP per site would work best.
Otherwise…
If your directories were structured with all customer sites being subfolders to a common branch…
Like:
/provider/
/provider/company1.site
/provider/company2.site
(or you could do some aliasing within the vhost configs - but that would overcomplicate this example)

You could setup your vhost configs:

---
servername IP
serveralias _default_ #use appropriate default equivalent string
documentroot /provider/
sslcertificatefile /etc/letsencrypt/live/SAN/cert.pem #SAN would include all the names
---
servername provider
documentroot /provider/
sslcertificatefile /etc/letsencrypt/live/provider/cert.pem
---
servername company1.site
documentroot /provider/company1.site/
sslcertificatefile /etc/letsencrypt/live/company1.site/cert.pem
---
servername company2.site
documentroot /provider/company2.site/
sslcertificatefile /etc/letsencrypt/live/company2.site/cert.pem
---

So that:

http://IP/ or http://provider/
shows content at: /provider/

http://company1.site/ or http://provider/company1.site/ or http://IP/company1.site/
shows content at: /provider/company1.site/

http://company2.site/ or http://provider/company2.site/ or http://IP/company2.site/
shows content at: /provider/company2.site/

system · July 1, 2018, 12:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Https without SNI Feature Requests	7	5784	July 6, 2017
Several subdomains (and domains) on same IP Server	3	3562	August 19, 2018
Second certificate in SSL Test and no SNI support Help	4	4508	April 4, 2020
[Solved] Subdomains showing No SNI - all but one, the missmatched one Help	3	2222	May 11, 2018
Why have I a secondary certificate? Help	5	674	November 3, 2020

How to hide/delete No SNI Certificate in Nginx?

Related topics