prevent mixing multiple nginx vhost domain-names into one certificate

[Alpini1980]

Hello,

I have set up the acme companion with multiple nginx-vhosts in the following way:

docker nginx-reverseproxy
docker nginx-acme-companion
-vhost1 (company.com,www.company.com)
-vhost2 (customer1.company.com)
-vhost3 (customer2.company.com)
-default-vhost (maintenance.company.com, company.com, www.company.com, customer1.company.com, customer2.company.com)

The domain-names above in () are set up as LETSENCRYPT_HOST and VIRTUAL_HOST in the docker-compose.yaml files of the corresponding vhost's.

When vhost1, vhost2 or vhost3 is down the default-vhost is answering the request for all domains/subdomains in case of maintenance and it's certificate contains all domains/subdomains (maintenance.company.com, company.com, www.company.com, customer1.company.com, customer2.company.com) as subject alternative names which is OK in this case.

Now the problem:

If all the vhost1, vhost2, vhost3 are all up and running I get strange results in the certificate's "subject alternative name" when accessing one of the sites. For the following domain names I get these subject alternative names in the delivered certificate:

company.com: maintenance.company.com, company.com, www.company.com, customer1.company.com, customer2.company.com

customer1.company.com: maintenance.company.com, company.com ,www.company.com, customer1.company.com, customer2.company.com

customer2.company.com: customer2.company.com

The only vhost which is behaving as expected is customer2.company.com. This vhost is a copy of customer1.company.com with just the LETSENCRYPT_HOST and VIRTUAL_HOST variables changed but it strangely behaves differently.

Does anyone have an idea why my vhosts1, vhost2 are delivering the domain names of all other vhosts. My wanted behavior would be that they one send the domain names which are set up in the LETSENCRYPT_HOST. Is it maybe a bad idea to use domain names twice for different vhosts? I have set them up in the regular vhost and also in the maintenance vhost which basically works except the weird behavior in some of the normal vhosts.

Regards, Stefan

[Alpini1980]

I investigated the problem a little bit deeper and think it is releated to the fact that I issued the domain names to two vhosts and the order in which nginx selects the certs. The start order of the docker containers (vhosts) seems to have no influence but because maintenance.company.com is in the cert-name of vhost1 and vhost2 it is clear that nginx chose the wrong certifiate.

If nginx finds several certificates for the DNS-name in the request and one of these certs is also used for the default vhost this one should have the lowest priority. But I don't know if such a behavior can be achieved with nginx?

Wishing you all a merry Christmas, Stefan

[buchdag]

Hi Stefan.

When you're configuring a container with LETSENCRYPT_HOST=domain.com,foo.domain.com,bar.domain.com, this is happening behind the scene:

• the container request a certificate for domain.com with Subject Alternative Name foo.domain.com and bar.domain.com
• the certificate, full chain and private key are copied into /etc/nginx/certs/domain.com
• the container creates symlinks to this certificate and private key into /etc/nginx/certs for each request domain, so in this case you'll have (for the certificates only)
  /etc/nginx/certs/domain.com.crt -> /etc/nginx/certs/domain.com/fullchain.pem
/etc/nginx/certs/foo.domain.com.crt -> /etc/nginx/certs/domain.com/fullchain.pem
/etc/nginx/certs/bar.domain.com.crt -> /etc/nginx/certs/domain.com/fullchain.pem

If you then start another container with LETSENCRYPT_HOST=www.domain.com,foo.domain.com,bar.domain.com, the container will:

• request a new certificate for www.domain.com with Subject Alternative Name foo.domain.com and bar.domain.com
• copy the certificate, full chain and private key into /etc/nginx/certs/www.domain.com
• create the following symlinks
  /etc/nginx/certs/www.domain.com.crt -> /etc/nginx/certs/www.domain.com/fullchain.pem
/etc/nginx/certs/foo.domain.com.crt -> /etc/nginx/certs/www.domain.com/fullchain.pem (overwrite of previous symlink)
  /etc/nginx/certs/bar.domain.com.crt -> /etc/nginx/certs/www.domain.com/fullchain.pem (overwrite of previous symlink)

acme-companion does not really have any logic to handle same domains existing in different LETSENCRYPT_HOST, hence the overwrite you are seeing. For a given domain, whatever certificate including this domain that is generated last will be symlinked in /etc/nginx/certs and be used by nginx-proxy for this domain. Unfortunately neither acme-companion nor nginx-proxy were thought to handle this case (multiple SAN certificates with overlapping subject names) and I don't think it can be done without additional development.

[Alpini1980]

Hello Nicolas,

thank you for your answer and wishing you a happy new year.

We will look for another solution. We already tried to remove all other domain names from the default vhost and the overwrite not longer happens. But then if one of the vhosts has been shut down and the default vhost answers instead it's using the default vhosts certificate which leads to an ERR_CERT_COMMON_NAME_INVALID. Due to enabled HSTS a https connection is mandatory for all of the vhosts so we cannot leave the default vhost without https support.

Regards, Stefan