I have several domains, all of which are served by the same NGINX instance. I am trying to setup a generic server configuration for HTTPS, such that every domain uses its own certificate and has SSL stapling enabled. These settings as defined in default.conf
are as follows:
server {
listen 443 default_server ssl;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /ssl/chain.pem;
ssl_certificate /ssl/$ssl_server_name/fullchain.pem;
ssl_certificate_key /ssl/$ssl_server_name/privkey.pem;
}
Every domain has a server block assigned to it in separate configuration files, inheriting the SSL settings as defined above. For example, example.conf
would say:
server {
listen 443 ssl;
server_name example.com;
location / {
return 200 "Hello, world!";
}
}
Unfortunately, this does not work. With this configuration, running openssl s_client -connect example.com:443 -status
results in a message saying OCSP response: no response sent
.
Interestingly, when I change the configuration to not use $ssl_server_name
but one of the domain names (lets say example.com
, see snippet below), I do receive a proper OCSP response for that specific domain. As expected, this fails for the other domains since the wrong certificate is provided.
server {
...
ssl_certificate /ssl/example.com/fullchain.pem;
ssl_certificate_key /ssl/example.com/privkey.pem;
...
}
This is no solution to me of course, because it still requires me to specify each certificate per domain.
Questions
- Is it possible to combine the usage of
$ssl_server_name
and SSL stapling and if so, how?
- Is the behaviour of NGINX as I have described it expected/documented?
- Are there any issues with the configuration presented here that might cause trouble?