I will see two certificates.
This also affects OpenHAB, because it is listening on one specific subdomain.
All Subdomains are listening on the same IP.
Lets say the certificate is issued for sub.domain.tld
I will see that www.domain.tld answers, too.
(This could be any certificate from my nginx config, but: www.domain.tld is the first one that i entered in my virtual hosts configuration)
Chrome and any other modern browser won’t have a problem with the certificate.
What does your nginx configuration look like? A second certificate can only be obtained if the server references it somewhere. You might have better luck on the nginx forums.
server {
listen 80;
listen [::]:80;
server_name sub.domain.tld;
return 301 https://sub.domain.tld$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sub.domain.tld;
include snippets/ssl-sub.domain.tld.conf;
include snippets/ssl-params.conf;
access_log /var/log/nginx/smarthome.log;
location / {
proxy_pass http://10.0.0.2:8080;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
satisfy any;
allow 10.0.0.0/8;
deny all;
auth_basic "Username and Password Required";
auth_basic_user_file /pwd/smarthome/.htpasswd;
}
#### When using Let's Encrypt Only ####
location /.well-known/acme-challenge/ {
root /var/www/nginx/sub.domain.tld;
}
}
Cert is stored in /etc/nginx/snippets
ssl-params too:
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam_2048.pem;
#ssl_dhparam /etc/ssl/certs/dhparam_4096.pem;
ssl_ecdh_curve secp384r1;
i also tried this tutorial, because it has a few hints regarding sni /multiple vhosts.
www.domain.tld is fine, because this is the second certificate that is sent out to every request.
but any other subdomain is not.
this affects any host configured with ssl, also foreign tlds, for example my webmailer.
In the meantime i completly reinstalled nginx and recreated the vhost and main config.
I registered a free domain (openhabxyz.tk for example)on freenom.com and forwarded this domain to my internal IP : 192.168.x.x (this is the IP of my openhab server) .
Now everything works fine with local network, I can access my openhab webpage via http://openhabxyz.tk on my web browser inside my house’s wifi, but I can’t do that outside the house.
You have to do a port forwarding from internal 192.168..:8080 to 80 for instance.
Easier is to use the same number for in and external use.
It is not possible to assign a private IP to a public domain.
Such ip segments were:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16 (used in your scenario)
Oh thanks for your reply…
So you mean I have to forward my router from 192.168.100.6 (my openhab server) port 8080 to 80?
I did it with my router. On freenom website, I changed my domain to point to my router’s external IP, now I can access my OH by typing openhabxyz.tk on the web browser outside the home network but it doesn’t require any user name and password to login , it’s just like access my OH from localhost:8080. Is there any problem?
Sorry, but i am not familiar with "freenom"
If you want to have encryption, nginx is often a good choice.
But of course, you could define a password within the *.cfg files.
If it’s letting you connect from anywhere, it may have saved your credentials. If you’re having more problems it’d be helpful to see your nginx configuration.
