[smarinov]

This is a solution if you don't care that anyone looking at the certificate would be able to directly see every single domain that you are hosting as part of your setup.

Determined people would be still able to find it out, more or less, despite not having it handy in their web browser under the field for the certificate's Subject Alternative Name. However, there is nothing stopping you from issuing separate certificates for each domain (possibly with subdomains) and configuring your webserver appropriately with SNI.

I have been using precisely Nginx to serve multiple HTTPS domains with certificates from Let's Encrypt since the first few weeks after it came out, so I am not sure why OP thinks it's strictly necessary to assign them separate IP addresses. Generally speaking, there is nothing wrong with that, and it is indeed a somewhat cleaner solution, if it wasn't for the IPv4 examples, oh my...

[zeta0134]

I was under the impression that older clients wouldn't send the host header over HTTPS, making it impossible to determine the correct certificate to serve in a shared IP environment. Modern browsers all support SNI which prevents exactly this problem, but compromise by sending the hostname in plain text, which may be a privacy concern; this is something that's still up for debate: http://security.stackexchange.com/questions/86723/why-do-htt...

EDIT: I'm not sure what I was reading or who I was responding to. You mentioned this directly in your comment. Ignore my blathering, I'm tired. :)

[Buge]

They all send host headers over HTTPS (unless it's http2, because the protocol is different). But the host headers don't get sent until after the encrypted transport is fully setup. And to set up the encrypted transport, the server needs to send a certificate. So the server needs to send the certificate before it sees the host header. That's what SNI helps.

[Jaruzel]

SNI doesn't work on Windows XP.

"Who still use Windows XP?" I hear you ask?

Just under 10% of all users[1]. Enough to make SNI problematic. In a few years time, we'll be OK, but not right now.

---

[1] https://www.netmarketshare.com/operating-system-market-share...

[tokenizerrr]

On internet explorer on Windows XP. Anyone on XP who uses Chrome or Firefox is just fine. If you are still using internet explorer on XP then you probably have other problems from all the malware that already installed itself on your computer.

[Jaruzel]

Current versions of Chrome are no longer available for XP.

If you are still using XP it's probably because you have to, and do not have the knowledge to switch to something better. Ergo, it's highly possible that you are still using IE on XP as well, as you don't know any different, or cannot change it due to restrictions, or policy.

It's an accessibility thing. If I designed a new web system that blocked off 10% of the populous, for whatever reason (deaf,blind, not able bodied), then people would call me out on it.

In the main, it's unlikely that anyone still using XP is doing so because they want to. Not everyone is privileged enough to have access to modern equipment.

[manarth]

  It's an accessibility thing. If I designed a new web system that
  blocked off 10% of the populous, for whatever reason (deaf,blind,
  not able bodied), then people would call me out on it.

Rightly so, because that's a constraint that cannot be changed.

Running an outdated, decommissioned operating system is something that can be changed. You have no obligation, moral or otherwise, to support Windows 3.1, OS2/Warp, WAP browsers, Gopher clients, or IE5 running on Mac OS 9.

You can still choose to support outdated clients, because it makes financial sense for your organisation - and many places to just that - just as a corporation running outdated software may choose not to update because that's what makes financial sense for them.

Equating support for an accessible service with support for outdated browsers is a non-starter.

[tokenizerrr]

> Not everyone is privileged enough to have access to modern equipment.

And there you go. If you can't be bothered to not use an ancient operating system, that's just too bad. I don't care about people running DOS either.

Luckily it is a lot easier to switch to a modern operating system than to replace nonfunctional parts of the human body.

[k1ns]

> I have been using precisely Nginx to serve multiple HTTPS domains with certificates from Let's Encrypt since the first few weeks after it came out

This is what I do as well, so I became pretty confused when reading the article. I've had no problems running my personal sites (side projects, really) from one NGINX server using different Let's Encrypt certificates for each one.