-1

I've been running two domains on one IP for years using SSL. One is example.com and the other is other.com. example.com has three names with its SSL cert; example.com, www.example.com and dev.example.com. other.com has other.com and www.other.com.

For the first time, I started up dev.example.com by just copying the nginx config for example.com like so:

server {
    listen 80;
    server_name example.com www.example.com dev.example.com;
    root /var/empty;
    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name  dev.example.com;
    root /home/dev;
    index index.html;
    charset utf-8;

    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Xss-Protection "1; mode=block" always;

    ssl on;
    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_prefer_server_ciphers on;
    ssl_ciphers ...
...
}
server {
    listen 443 ssl http2;
    server_name  example.com www.example.com;
    root /home/example;
    index index.html;
    charset utf-8;

    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Xss-Protection "1; mode=block" always;

    ssl on;
    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_prefer_server_ciphers on;
    ssl_ciphers ...
...
}

Having done that, I can now access all three variations of example.com. However, none of other.com are accessible in that I get a (paraphrased):

SSL_protocol_error

and

This site is not serving securely

in Chrome while Firefox redirects to Google (my default home page).

The config for other.com is identical to example.com except for the dev subdomain. I did not set any location blocks for dev.example.com. The rest of the config file only contains ssl cert pointers and location blocks.

So I'm a bit confused as to why the dev subdomain took down other.com.

Rob
  • 344
  • 3
  • 15
  • 1
    Double check server name spelling – Alexey Ten May 29 '16 at 18:33
  • Your configuration seems good with what you said. It would be easier for us to help you if you show the complete configuration of your `other.com` & `example.com` VHOSTs (hiding url & path of course), in order to determine the problem. Can you also try to execute `nginx -t` and see what it tells you please? – Julqas May 30 '16 at 11:10
  • @Julqas `nginx -t` gives no errors. The config is identical for all the sites. – Rob May 30 '16 at 15:43
  • Make sure the SSL cert CN or SAN match your domain(s). If you want a single cert to support all the domains you listed, it'll need to be a wild card cert. http://stackoverflow.com/questions/5935369/ssl-how-do-common-names-cn-and-subject-alternative-names-san-work-together – Paul May 30 '16 at 15:52
  • @Paul The certs are not the issue. Each domain has their own cert and work just fine. However, now that you mention it, example.com is the only one using a letsencrypt cert while the others are Comodo. I wonder if that can be an issue. – Rob May 30 '16 at 16:00

1 Answers1

0

The solution may lie in how nginx handles the default server along with how I created the config for the sites. Doing curl -I http://example.com showed some erroneous redirecting that may have made nginx look for a default server which isn't the one I wanted.

My solution was to actually spell it out better for the server. I did this:

server {
    listen 80;
    server_name dev.example.com;
    root /var/empty;
    return 301 https://dev.example.com$request_uri;
}

server {
    listen 80;
    server_name example.com www.example.com;
    root /var/empty;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name  dev.example.com;
    root /home/dev;
...

server {
    listen 443 ssl http2;
    server_name  example.com www.example.com;
    root /home/bc;
    ...
}
Rob
  • 344
  • 3
  • 15