SSL SNI not supporting any alternative names

1

I am attempting to use SNI to handle 2 domains behind a single IP, but cannot get the KEMP to handle both the domain name (example.com) and the www record. (www.example.com). It is only supporting the primary name on the certificate. How do I fix this?

5 comments

Avatar
0
Barry Gleeson

Do you have multiple Certs or just one cert with a SAN.

If it is only one it should default to the first Cert in the list.
If multiple you may need to put the Cert with the SAN as the first Cert in the list.

Avatar
0
droorda

I have several certs on the server the first of which is a wild card for a 3rd domain that does not match the domains I am adding. I am trying to add certs for 2 different web sites using standard godaddy certs which support both the domain and the www.domain. From what I am seeing the KEMPs are not capable of this, but I am hoping I am wrong.

Avatar
0
Barry Gleeson

Typically when SNI is in use there should not be a need for SANs.

On the Loadmaster once SNI is enabled, when a new request is received, it will go through the list of assigned Certificate Domain Names and use which ever matches the name in the SNI request. (This does not include SANs however)
If none is found it will use the first Cert in the List.

So in short only SANs in the first Cert on the list will match.

Avatar
0
droorda

Do you know of SANs support is on the road map for the product?

Avatar
0
michel.zehnder

It would be nice to have this functionality.
I.e. no matter where the name is, it should match it properly, this would make things definitely easier, especially when migrating from other solutions which might already have perfectly good certificates which we could re-use