search

grahamedgecombe / nginx-ct

Certificate Transparency module for nginx.
https://grahamedgecombe.com/projects/nginx-ct
ISC License
176 stars 29 forks source link

virtual hosts #18

Closed Night1 closed 7 years ago

Night1 commented 7 years ago

Hey, Thank you for your work on this module, I've come across an issue.

I got this working on a subdomain of mine on with a certificate issued for both root and a number of subdomains, it works fine on the subdomain, but not on the root domain, both share same SSL configuration in nginx only diffs are folders and proxies.

hmm strange, when I move the commands to enable:

 ssl_ct on;
 ssl_ct_static_scts /etc/nginx/ssl/sct/;

to /etc/nginx/nginx.conf rather than each site in ../enabled-sites/ It works for all subdomains but not the root domain. any idea why this is?

I have two sites enabled, both share same certificate, while one only responds to apps.mydomain.com other responds to www.mydomain.com and mydomain.com

the lather of which is the only one not reporting back as working with SSL labs like the others "Certificate Transparency Yes (TLS extension)"

grahamedgecombe commented 7 years ago

What version of OpenSSL/nginx are you using?

Night1 commented 7 years ago

Hey, I have two systems

nginx version: nginx/1.11.9 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) built with OpenSSL 1.1.0c 10 Nov 2016 TLS SNI support enabled

and \

nginx version: nginx/1.11.9 built by gcc 6.2.0 20161005 (Ubuntu 6.2.0-5ubuntu12) built with OpenSSL 1.1.1-dev xx XXX xxxx TLS SNI support enabled

Night1 commented 7 years ago

There is also a bug when using TLSv1.3, the CT does not work at all.

Firefox reports 0 CT when using TLSv1.3 but does report when using TLSv1.2

this in on the

nginx version: nginx/1.11.9 built by gcc 6.2.0 20161005 (Ubuntu 6.2.0-5ubuntu12) built with OpenSSL 1.1.1-dev xx XXX xxxx TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-pcre=../pcre-8.40 --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-openssl=/hom e/night/Downloads/openssl --with-openssl-opt=enable-tls1_3 --with-http_gzip_static_module --with-http_addition_module --with-http_dav_module --with-http_stub_status_module --with-http_sub_module --with-http_ssl_module --with-stream -- with-stream_ssl_module --with-mail=dynamic --with-http_v2_module --add-dynamic-module=/opt/nginx-ct --with-mail=dynamic

grahamedgecombe commented 7 years ago

The first problem is probably the same issue as #13.

I'll take a look at the TLS 1.3 issue.

Night1 commented 7 years ago

Yeah It does look a lot like #13, so this one can be closed, or do you want to to remain open for TLS1.3?

Since SSLLabs fails to test TLS1.3 only, Firefox does report back no CT for my domains when it is on TLS1.3

grahamedgecombe commented 7 years ago

Closing (as it's covered by #13 and the new #21)