duplicates after configuring multiple domains and subdomains + using certbot - seeking best practice

Question

After configuring multiple domains and some subdomains to operate under nginx I've managed to get multiple server blocks to work ok. Still left with the messy results as below.

This after setting up multiple domains, using certbot to create certificates and edit nginx config files.

Looking at the nginx config files, it's obvious this would be a lot cleaner if the original default config file had been stripped of commented out lines. Still seeing a few weird apparent duplicates of server blocks for domains in the default config file.

I am using static files served under nginx for domain.tld & www.domain.tld with nodejs serving blah.domain.tld, tho this mix may vary in future.

So some quick questions on good/bad practice. - one certificate to cover domain.tld, www.domain.tld and blah.domain.tld ? - should /etc/nginx/sites-available/default exclude all server block references to the various domains configured in /etc/nginx/sites-available/domain.tld ? - it seems certbot edits /etc/nginx/sites-available/default to add references for the various domain configs. I'm loath to edit any config files edited by certbot, but the chaotic mess of duplicates indicates a cleanup can be done.

also: what might the suspicious symbols be?

sudo nginx -t
nginx: [warn] server name "blah.domain.tld/" has suspicious symbols in     /etc/nginx/sites-enabled/blah.domain.tld:41
nginx: [warn] conflicting server name "www.domain.tld" on [::]:443, ignored
nginx: [warn] conflicting server name "blah.domain.tld" on [::]:443, ignored
nginx: [warn] conflicting server name "www.domain.tld" on 0.0.0.0:443,     ignored
nginx: [warn] conflicting server name "blah.domain.tld" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "www.domain.tld" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "blah.domain.tld" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.domain.tld" on [::]:80, ignored
nginx: [warn] conflicting server name "blah.domain.tld" on [::]:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Next block

ubuntu@blah:/etc/nginx/sites-available$ grep -rn ' domain.tld'     /etc/nginx/sites-available/
/etc/nginx/sites-available/domain.tld:39:  server_name domain.tld;
/etc/nginx/sites-available/domain.tld:96:    if ($host = domain.tld) {
/etc/nginx/sites-available/domain.tld:104: server_name domain.tld;

Next block

ubuntu@blah:/etc/nginx/sites-available$ grep -rn ' www.domain.tld'     /etc/nginx/sites-available/
/etc/nginx/sites-available/blah.domain.tld:110:    server_name www.domain.tld; # managed by Certbot
/etc/nginx/sites-available/blah.domain.tld:148:    if ($host = www.domain.tld) {
/etc/nginx/sites-available/blah.domain.tld:155:    server_name www.domain.tld;
/etc/nginx/sites-available/default:110:    server_name www.domain.tld; # managed by Certbot
/etc/nginx/sites-available/default:148:    if ($host = www.domain.tld) {
/etc/nginx/sites-available/default:155:    server_name www.domain.tld;

Next block

ubuntu@blah:/etc/nginx/sites-available$ grep -rn ' blah.domain.tld'         /etc/nginx/sites-available/
/etc/nginx/sites-available/blah.domain.tld:41: server_name blah.domain.tld/;
/etc/nginx/sites-available/blah.domain.tld:182:    server_name blah.domain.tld; # managed by Certbot
/etc/nginx/sites-available/blah.domain.tld:219:    if ($host = blah.domain.tld) {
/etc/nginx/sites-available/blah.domain.tld:226:    server_name blah.domain.tld;
/etc/nginx/sites-available/default:182:    server_name blah.domain.tld; # managed by Certbot
/etc/nginx/sites-available/default:219:   
  if ($host = blah.domain.tld) {
  /etc/nginx/sites-available/default:226:    server_name blah.domain.tld;

Your question is really difficult to understand. Can you please edit your post to make it clear _exactly_ what you're trying to achieve. List them as numbered questions if you have multiple questions. Your block of text was unreadable, I tried to format it, but it really needs labels to describe what each block is. I don't see any Nginx config file, just a bunch of greps which really don't aid understanding of your issue. — Tim, Nov 07 '18 at 07:22
The suspicious symbol is you have `/` character on the end of your `server_name`. — bodgit, Nov 07 '18 at 10:11

score 0 · Answer 1 · answered Nov 07 '18 at 07:38

0

The 'conflicting servername' issues probably arise because you configured 2 different serverblocks listening to the same uri. One for ipv6 and one for ipv4

I think you should make 1 serverblock that listens on both ipv4 and ipv6 at the same time.

answered Nov 07 '18 at 07:38

geets

35
6

score 0 · Accepted Answer · answered Nov 08 '18 at 01:54

apologies for the messy question and thanks for the initial responses, after a sleep the fix became obvious.

certbot inserted server blocks within /etc/nginx/sites-available/default resulting in duplicate server blocks for *.domain.tld
moving /etc/nginx/sites-available/*.domain.tld out of /etc/nginx/sites-available/ eliminated the large number of "nginx: [warn] conflicting server name" messages.
minor fixes in /etc/nginx/sites-available/default to ensure all variations of http | https | www.domain.tld | domain.tld | subdomain.domain.tld are handled as intended.

copy of the now working /etc/nginx/sites-available/default below. obviously this should be split out into default, domain.tld & subdomain.domain.tld for best practice and cleanup the symlinks.

            # Default server configuration
            #
            server {
                listen 80 default_server;
                listen [::]:80 default_server;

                root /var/www/html;

                index index.html;

                server_name _;

                location / {
                    # First attempt to serve request as file, then
                    # as directory, then fall back to displaying a 404.
                    try_files $uri $uri/ =404;
                }

            }


            server {

                root /var/www/domain.tld/html;

                index index.html;
                server_name www.domain.tld domain.tld; # managed by Certbot

                location / {
                    # First attempt to serve request as file, then
                    # as directory, then fall back to displaying a 404.
                    try_files $uri $uri/ =404;
                }


                listen [::]:443 ssl; # managed by Certbot
                listen 443 ssl; # managed by Certbot
                ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; # managed by Certbot
                ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; # managed by Certbot
                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


            }

            #redirect from http to https for www.domain.tld
            server {
                if ($host = www.domain.tld) {
                    return 301 https://$host$request_uri;
                } # managed by Certbot


                listen 80 ;
                listen [::]:80 ;
                server_name www.domain.tld;
                return 404; # managed by Certbot

            }

            #redirect from http to https for domain.tld
            server {
                if ($host = domain.tld) {
                    return 301 https://$host$request_uri;
                } # managed by Certbot


                    listen 80 ;
                    listen [::]:80 ;
                server_name domain.tld;
                return 404; # managed by Certbot

            }


            server {


                root /var/www/subdomain.domain.tld/html;

                index index.html;
                server_name subdomain.domain.tld; # managed by Certbot


                location / {
                    # First attempt to serve request as file, then
                    # as directory, then fall back to displaying a 404.
                    #try_files $uri $uri/ =404;
                    proxy_pass http://localhost:4000;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection 'upgrade';
                    proxy_set_header Host $host;
                    proxy_cache_bypass $http_upgrade;
                }


                listen [::]:443 ssl; # managed by Certbot
                listen 443 ssl; # managed by Certbot
                ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; # managed by Certbot
                ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; # managed by Certbot
                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

            }
            server {
                if ($host = subdomain.domain.tld) {
                    return 301 https://$host$request_uri;
                } # managed by Certbot


                listen 80 ;
                listen [::]:80 ;
                server_name subdomain.domain.tld;
                return 404; # managed by Certbot


            }

underlying issue is certbot appears to duplicate server blocks in default when certs for subdomains are added original certs for domain were created.

fix was to remove the separate server config files, cleanup all the server blocks in default until working.

duplicates after configuring multiple domains and subdomains + using certbot - seeking best practice

2 Answers2