Please fill out the fields below so we can help you better.
My domain is: https://sotik24.ru/
My hosting provider, if applicable, is: Timeweb.com/ru
Hello. Us to connect your payment gateway, you need to disable SNI. Such a requirement from the Yandex Offices.
Hi @dwarfc,
SNI is an Internet standard since 2003 and is supported by a very wide range of software. It is not very responsible of a payment gateway to refuse to support it. They have had 14 years to implement this Internet standard in their software.
However, nobody can force people to follow technology standards, so the payment gateway can do whatever they want in this case.
In order to turn off SNI, or probably more accurately to support connections without SNI, you need a dedicated IP address on your server. (What SNI does is support the case where multiple domain names are hosted on the same IP address, so in order to work without SNI, you need 1 IP address per domain name.) This could be arranged by your hosting provider, but they might charge you extra for this service because they may have a limited number of IP address themselves.
Usually if you have a dedicated IP address where your domain is the only one hosted, the web server will then work correctly when it receives an incoming request without SNI information. (We often say that it will fall back to the default virtual host… which on a server with a dedicated IP address should just be your site rather than someone else’s site.)
Edit: Another option is to get a much larger certificate that includes all of the domains that are hosted on that IP address directly in the certificate as subject alternative names (SANs). Let’s Encrypt supports this natively, and allows up to 100 SANs in a single certificate. These can list up to 100 domain names that are hosted on that machine. This will be accepted even by a client that does not use SNI. But if you do share the same IP address with sites that are operated by other people, the hosting provider would still need to arrange for this and coordinate it because all of the sites that are hosted on that machine would potentially need to be listed in that large certificate.
Made dedicated ip address.
Did that solution work OK for the payment gateway?
If you want, we can try to find someone who speaks Russian to try to convince the payment gateway that it should not have this kind of requirement anymore in 2017, at least by writing a letter.
the test payment was sent, seems to work!
Here’s the email, payment gateway Yandex Kassa - merchants@money.yandex.ru
hi @dwarfc
I don’t believe what you require is possible. You are using a shared hosting provider (timeweb.ru)
As such the provider owns your IPs (92.53.96.113 and 2a03:6f00:1:0:0:0:5c35:6071 )
The only way the provider can share this IP among multiple clients is using SNI.
https://www.ssllabs.com/ssltest/analyze.html?d=sotik24.ru&s=92.53.96.113&hideResults=on
So if you go to 92.53.96.113 you will get the message below. You cannot change this as the provider owns the IP. If you need to own the IP you will need to get a dedicated VPS rather than shared hosting.
The reason you cannot turn SNI on or off is because you are using a shared service and the provider owns this functionality.
If your provider is using HTTPS but not using SNI they will get certificate errors as the certificate served up by non SNI requests will be incorrect (your hosters certificate)
Almost every modern programming url library supports SNI by default so it’s more up to your payment gateway to code this correctly
For example: connecting using openssl
OpenSSL with SNI and IP - correct certificate
OpenSSL without SNI and IP - timeweb certificate
Andrei
Hi, now the ip address changed to 176.57.221.94
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
