I'd like to configure nginx with wildcard LetsEncrypt certificate for dynamic sub domains - domains that will be emulated by web application.
Right now I have the following "static" domains:
example.com
sso.example.comBased on the user content, the applciation will emulate the following domains:
anyname1.example.com
anyname2.example.com
...
{somename}.example.comThere are following nginx configs:
server { server_name example.com; access_log /var/log/nginx/example.com.access.log; error_log /var/log/nginx/example.com.error.log; root /var/www/html/example; location / { root /var/www/html/example; index index.html index.htm; # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ /index.html; } listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/example.com-0001/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/example.com-0001/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server { server_name example.com; if ($host = example.com) { return 301 } # managed by Certbot listen 80; listen [::]:80 ; return 404; # managed by Certbot
}
server { server_name *.example.com; access_log /var/log/nginx/domains.example.com.access.log; error_log /var/log/nginx/domains.example.com.error.log; root /var/www/html/example; location / { root /var/www/html/example; index index.html index.htm; # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ /index.html; }
# listen [::]:443 ssl ipv6only=on; # managed by Certbot
# listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/ # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/ # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server { server_name *.example.com; if ($host = example.com) { return 301 } # managed by Certbot
# listen 80 ;
# listen [::]:80 ; return 404; # managed by Certbot
}
server { server_name sso.example.com; access_log /var/log/nginx/sso.example.com.access.log; error_log /var/log/nginx/sso.example.com.error.log; location / { proxy_pass proxy_redirect /; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; }
# listen [::]:443 ssl ipv6only=on; # managed by Certbot
# listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/ # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/ # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server { if ($host = sso.example.com) { return 301 } # managed by Certbot server_name sso.example.com; listen 80 ; listen [::]:80 ; return 404; # managed by Certbot
}Certificate for dynamic subdomains was generated in the following way:
certbot --server -d *.example.com --manual --preferred-challenges dns-01 certonlyRight now, when I try to access any subdomain I receive the error that certificate belongs to the main domain.
What am I doing wrong and how to fix it?
1 Answer
This may not be answer to your question but a most important thing I recently find out.
I created and used wildcard subdomain on my website . Later, I found out that many browsers do not consider this wildcard SSL certificate.
For example, Chrome ( desktop and Android Application) throw error saying it is "TOO_COMMON_CERT_NAME"
So far, as per my experience, I do not recommend using wildcard certification. Create manually for each domain/subdomain. You won't regret.
