Several subdomains (and domains) on same IP

Hello!

I’m the owner of a personal home server (as a hobby), I host a webserver (nginx) on a Raspberry Pi running Raspbian, on a single static IP. Its domains and subdomains are private so let’s say they’re (intentionally bogus domain names):

mydomain.eu with subdomains:

  • abc.mydomain.eu (has a certificate)
  • jkl.mydomain.eu (no certificate, doesn’t need one)
  • xyz.mydomain.eu (has a certificate)
  • www.a-landing-page.fr (no certificate, doesn’t need one)

For some of those, abc.domain.eu and xyz.domain.eu, I’ve obtained separate Let’s Encrypt certificates (as indicated) and Certbot configured them accordingly to enable SSL connections. So far the websites are working flawlessly in https, and http redirects to https, which is perfect. Renewing certificates also works quite well.

Whenever I go on on www.a-landing-page.fr (which does not have an SSL certificate and does not need one), the website loads fine. However if I change http to https, it says:

www.a-landing-page.fr uses an invalid security certificate. The certificate is only valid for xyz.mydomain.eu

For testing purpose, if I stop serving xyz.mydomain.eu, going to that certificate-less subdomain in https again still errors but with the abc.mydomain.eu. So apparently, forcing an http only subdomain or domain to load with https makes it fetch a certificate of another subdomain, which obviously errors. I wish to fix that.

I feel something something is loose, a service isn’t telling which subdomain is using which certificate and restrict it to that subdomain only, not to all sites on my IP. Someone told me I have to make a SNI declaration, I searched for it as well as here on the forums but all of the results are way above my understanding in a way that I don’t even know if some posts mentionning it have the same problem as mine, and I don’t know how to make such declaration.

Can you please direct me to the right direction?
Thanks

Hi @nullify

you may have one ore more https - services (port 443), one of these is the default https.

If you call https://www.a-landing-page.fr/ then this https-service is used. But the certificate is wrong.

So you can

You may also create a http-host, which uses port 443 and www.a-landing-page.fr and redirect that to your standard-port 80. But this is not really good.

1 Like

What you want is for the server to have strict SNI processing: when the server encounters an HTTPS connection for a domain without a configured certificate, it should abort the connection (rather than offering an unrelated certificate).

For example, haproxy and Cloudflare sport this behavior. It's not available in Apache and nginx.

You could stick haproxy in front nginx and handle SSL there, but it's kind of painful having to stack web servers like that just to get this "feature".

The alternative is to have a "fallback" HTTPS virtual host that has a non-descript self-signed certificate that will pick up the requests that can't otherwise be mapped to real certiifcates:

server {
  listen 443 default;
  server_name _;
  ssl_certificate /path/to/self/signed/certificate.crt;
  ssl_certificate_key /path/to/self/signed/certificate.key;
  return 403;
}

Nowhere near as good as strict SNI, but there you have it.

If I were you, I'd just use an Let's Encrypt certificate anyway (even if not needed). It is the best way to avoid potential errors.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.