On 2022-08-31 05:54, George wrote:
> On 2022-08-29 05:50, Stuart Henderson wrote:
>> On 2022-08-29, George <g.lister@nodeunit.com> wrote:
>>> I am wish to run multiple site from the same IP and use different TLS
>>> certs for each.
>> ..
>>> Problem is I get the certificate for the first declared
>>> server each time unless I change the IP or port.
>> How are you testing? If you're using openssl s_client you need the
>> -servername option (though nc -vc is probably more convenient).
>
> I am using a web browser and can view the cert and the corresponding
> error message.
>
> netcat would be a good option too so thanks for the hint.
>
>
>>
I am a much less advanced user and use simple tools like curl to
troubleshoot such issues.
For example:
curl -vkI https://example01.com --connect-to
example01.com:443:203.0.113.81:443
Usually tells me everything I need to know about what a client sees.
For httpd.conf, I am running the following configuration on one server:
ext_ip="203.0.113.12"
server "203.0.113.12" {
listen on $ext_ip port 80
listen on $ext_ip tls port 443
tls {
certificate "/etc/ssl/self-signed.crt"
key "/etc/ssl/private/self.key"
}
no log
tcp no sack
block drop
}
server "subdomain.example.com" {
listen on $ext_ip port 80
listen on $ext_ip tls port 443
tls {
certificate "/etc/ssl/subdomain.example.com.crt"
key "/etc/ssl/private/subdomain.example.com.key"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "/" { pass }
location "/bgplg/*" { block drop }
location not found "/*" { block drop }
log style combined
tcp { backlog 128, no sack }
}
Requests for hostname subdomain.example.com are served the signed
certificate, and all other hostnames requested are served the
self-signed cert (and are dropped). This is verified with the curl
command above (drop happens after cert negotiation).
I am not sure why using a different server name or CA signed cert would
change the output.
Paul
No comments:
Post a Comment