You haven't poster a dmesg. I looked recently into this and as far as I understand the situation, using multiple TLS certificate on the same IP won't work unless httpd use the SNI TLS extension. That isn't the case with the version of httpd shipped with OpenBSD 6.0 but should be the case with OpenBSD-current.
2017-01-14 9:40 GMT+01:00 Olivier <[email protected]>: > Hello all, > > Sorry for the delay. > > Yes i am using the " tls certicate file *option*" for both servers : > > (...) > server "daenerys.burelli.fr" { > listen on $ext_addr port 80 > block return 301 "https://$SERVER_NAME$REQUEST_URI"; > } > server "daenerys.burelli.fr" { > listen on $ext_addr tls port 443 > root "/htdocs/default" > log style combined > hsts > tls { > certificate "/etc/ssl/daenerys.burelli.fr.crt" > key "/etc/ssl/private/daenerys.burelli.fr.key" > } > (...) > server "cloud.burelli.fr" { > listen on $ext_addr port 80 > block return 301 "https://cloud.burelli.fr:444/$REQUEST_URI"; > } > server "cloud.burelli.fr" { > listen on $ext_addr tls port 444 > root "/htdocs/nextcloud" > directory index index.php > hsts > tls { > certificate "/etc/ssl/cloud.burelli.fr.crt" > key "/etc/ssl/private/cloud.burelli.fr.key" > > } > > (...) > > > In fact I understand here that httpd is listening on tcp port 80 for each > websites. > > httpd split request from each sever based on $SERVE_NAME to call correct pages > for each $SERVER_NAME websites. > > I would like to know if is possible to redirect the request on tcp port 80 URI > based on $SERVER_NAME to each https server on different port (443 & 444, > depending on $SERVER_NAME). > > If yes what is the best way ? > > > -----Message d'origine----- > De : [email protected] [mailto:[email protected]] De la part de > Joris Vanhecke > Envoyé : Thursday, December 29, 2016 11:48 PM > À : [email protected] > Objet : Re: [httpd] Multiple HTPS servers & redirection > > On Sun, 25 Dec 2016, at 12:24 PM, Olivier wrote: >> Hello all, >> >> I would like to know, what is the best practice to manage multilple >> https servers with httpd. I installed 2 certificates for both hostname > below: >> >> _ daenerys.burelli.fr >> _ cloud.burelli.fr >> >> I would like to redirect all request for: >> >> _ http://daenerys.burelli.fr to https://cloud.burelli.fr → OK >> _ http://cloud.burelli.fr to https://cloud.burelli.fr:444 → >> KO - however the certificate is ok when I try to reach directly >> https://cloud.burelli.fr:444 >> >> I would like to avoid to obtain the followings message for second >> https >> server: SSL_ERROR_BAD_CERT_DOMAIN (The certificate is only valid for >> the following names: daenerys.burelli.fr, www.daenerys.burelli.fr) >> >> Part of my httpd.conf: >> >> server "daenerys.burelli.fr" { >> listen on $ext_addr port 80 >> block return 301 "https://$SERVER_NAME$REQUEST_URI"; >> } >> >> server "daenerys.burelli.fr" { >> alias "www.burelli.fr" >> listen on $ext_addr tls port 443 >> (…) >> } >> >> server "cloud.burelli.fr" { >> listen on $ext_addr port 80 >> block return 301 "https://cloud.burelli.fr:444/$REQUEST_URI"; >> } >> >> server "cloud.burelli.fr" { >> listen on $ext_addr tls port 444 >> (…) >> } >> >> I tried also with: block return 301 >> https://$SERVER_NAME:444$REQUEST_URI >> or >> block return 301 https://cloud.burelli.fr:444$REQUEST_URI >> >> What is the right way to rewrite the URL? >> >> Thanks in advance for your help and support. >> >> Olivier. >> > > Seems like httpd is using the first cert for both domains. > Are you using the "tls certificate *file*" option? > -- Cordialement, Coues Ludovic +336 148 743 42
