A modern webserver hosting or proxying to multiple backend domain names will often be configured to use SNI (Server Name Indication).
SNI allows multiple SSL-protected domains to be hosted on the same IP address, and is commonly used in Kubernetes with ingress controllers, for example, the nginx ingress controller.
As the SNI extension requires a slight change to the conversation between client and server - the hostname must be provided in the
Hello message to correctly access the associated domain name.
This can present an issue when troubleshooting a node or pod directly, where an IP address is used.
- Network access to the endpoint you wish to troubleshoot
To perform an SNI-compliant request using an IP address, use the following commands replacing the domain name and IP address.
- Using the
curl -v --resolve domain.com:443:<ip address> https://domain.com
opensslcan be useful to obtain details about the certificate configured:
openssl s_client -showcerts -servername domain.com -connect <ip address>:443
More information on SNI can be found here.