0

I have a web app that supports multiple subdomains but I can't find the correct nginx setting to make the certificates work.

I've already created the certbot certificates wit this command

sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com --manual --preferred-challenges dns-01 certonly

And then I've proceeded to copy the fullchain.pem and privkey.pem files to the /etc/nginx/ssl/namesite-wildcard directory.

This is my nginx configuration file contained in the sites-available directory:

server {    
    server_name nameSite.com www.nameSite.com;  //Main domain settings, not related to my problem
    
    location / {
            proxy_pass http://localhost:42069;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
     }

        location /api {
                proxy_pass http://localhost:5000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
     }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nameSite.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nameSite.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server{ 
    listen 443 ssl;  //THIS is the tricky section
    

    server_name *.nameSite.com;

        location / {
                proxy_pass http://localhost:42069;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
     }
    ssl_certificate /etc/nginx/ssl/nameSite-wildcard/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/nameSite-wildcard/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

}

server {
    if ($host ~ ^[^.]+\.nameSite\.com$) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = www.nameSite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = nameSite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;    server_name nameSite.com www.nameSite.com;
    return 404; # managed by Certbot
}

I have to point out that the main domain was automatically certified with the command:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com.

So, in the end, when I try to browse to www.nameSite.com or nameSite.com everything is certified but whenever I try any *.nameSite.com the browser tells me that the connection is not encrypted.

Thanks for your help.

grizzo
  • 1
  • 2
  • Perhaps I'm stating the obvious, but if `*.example.com` happened to match one or more existing files, the shell will have expanded it to the list of matches (assuming you have default shell globbing options). The simple fix is to enclose the string in single quotes, like `certbot ... stuff -d '*.example.com' ... more stuff` – tripleee Jun 29 '20 at 11:23
  • I've just tried to do that and to change certificates' paths in the nginx config file but the browser still tells me that nothing is encrypted. – grizzo Jun 29 '20 at 12:59

0 Answers0