Multiple certificates in one server block?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Multiple certificates in one server block?

blason
How do I set multiple certificates (for different names) in a single server
block?
I can easily set multiple server_names but there seems no way to set
multiple certificates..
Is the only way to have all names in a single certificate? If so, is this an
nginx, an openssl or a TLS limitation?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275855,275855#msg-275855

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple certificates in one server block?

Jeff Dyke
i assume you have some sort of UCC certificate, if so you should be able to use it with multiple server_names, but have multiple ssl_certificates in a single server block is a limitation of nginx from what i understand.  Most relavant information is here: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate, as there are too many quesitons regarding your certs, if you use SNI etc.  

HTH

On Fri, Aug 4, 2017 at 8:39 AM, Olaf van der Spek <[hidden email]> wrote:
How do I set multiple certificates (for different names) in a single server
block?
I can easily set multiple server_names but there seems no way to set
multiple certificates..
Is the only way to have all names in a single certificate? If so, is this an
nginx, an openssl or a TLS limitation?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275855,275855#msg-275855

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple certificates in one server block?

blason
I'm using letsencrypt and have multiple certs with a single name in them..
If I had one cert with multiple names we'd not be having this problem.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275855,275858#msg-275858

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple certificates in one server block?

Jim Ohlstein-3
Hello,

On 08/04/2017 09:36 AM, Olaf van der Spek wrote:
> I'm using letsencrypt and have multiple certs with a single name in them..
> If I had one cert with multiple names we'd not be having this problem.
>

Letsencrypt allows multiple domain names in the same certificate.

As for nginx, it allows multiple certificate definitions if say you have
both an ECDSA certificate and a RSA certificate. The only time I've done
that is when the domain names matched in the two.

--
Jim Ohlstein
Professional Mailman Hosting
https://mailman-hosting.com


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple certificates in one server block?

Jeff Dyke
Jim is correct, letsencrypt supports that ....wow, sorry for trying to help, that was a bit caustic, that information would be helpful in the original question.  Enjoy the weekend.

On Fri, Aug 4, 2017 at 9:40 AM, Jim Ohlstein <[hidden email]> wrote:
Hello,

On 08/04/2017 09:36 AM, Olaf van der Spek wrote:
> I'm using letsencrypt and have multiple certs with a single name in them..
> If I had one cert with multiple names we'd not be having this problem.
>

Letsencrypt allows multiple domain names in the same certificate.

As for nginx, it allows multiple certificate definitions if say you have
both an ECDSA certificate and a RSA certificate. The only time I've done
that is when the domain names matched in the two.

--
Jim Ohlstein
Professional Mailman Hosting
https://mailman-hosting.com


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple certificates in one server block?

blason
In reply to this post by Jim Ohlstein-3
Jim Ohlstein Wrote:
> Letsencrypt allows multiple domain names in the same certificate.

I know, just wondering if nginx supported multiple certs per server.

My problem:
I've got multiple servers and I'd like the servers to be accessible via the
common name (ex.com) and via their dedicated name (a.ex.com, b.ex.com, etc).
How do I do this with letsencrypt?
If I use certbot the verification request might / will be server by another
host and will thus fail.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275855,275860#msg-275860

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple certificates in one server block?

nginx mailing list
Jim already replied with his ECDSA+RSA example in a single server block.
You can also serve several names from a single server block.

However, I never tested serving a certificate for several domains all served by the same virtual server block. I *suppose* nginx might be clever enough to select the right certificate(s) to serve. ANyone to test that?
Anyway, for that to work, you will need to ensure both ends support SNI with their TLS library.
First impressions, though: it does not look as an ideal setup to me, as it most probably will end up in a spaghetti configuration nightmare. It depends, as always. A long (potentially repetitive), clear (as in 'server block-complete'), nginx configuration properly managed through configuration management tools will always appeal the most to me for debugging purposes.
---
B. R.

On Fri, Aug 4, 2017 at 3:47 PM, Olaf van der Spek <[hidden email]> wrote:
Jim Ohlstein Wrote:
> Letsencrypt allows multiple domain names in the same certificate.

I know, just wondering if nginx supported multiple certs per server.

My problem:
I've got multiple servers and I'd like the servers to be accessible via the
common name (ex.com) and via their dedicated name (a.ex.com, b.ex.com, etc).
How do I do this with letsencrypt?
If I use certbot the verification request might / will be server by another
host and will thus fail.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275855,275860#msg-275860

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...