-2

Hello i m using certbot to get ssl for may domain and my subdomain now challenge is i need to privide white label for my client and i need to provide ssl to them

server {

    listen 80 default_server;
    listen [::]:80 default_server;
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

}

server {

    listen 443 ssl default_server;
    listen [::]:433 ssl default_server;

    root /var/www/html/larryville/public;

    ssl_certificate  /etc/letsencrypt/live/press.*.com/fullchain.pem; // this i need to generate
    ssl_certificate_key /etc/letsencrypt/live/press.*.com/privkey.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_read_timeout 300;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

i need ssl like ssl_certificate /etc/letsencrypt/live/press.*.com/fullchain.pem;

i m using

ubuntu nginx aws ec2

thank you

Kamlesh Paul
  • 11,778
  • 2
  • 20
  • 33

1 Answers1

2

TLDR: you can't.

First, an SSL/TLS cert can only have the wildcard in the leftmost (hierarchically lowest) DNS label. (And it can only match one label, not more or less.) See rfc6125 and https://serverfault.com/questions/878432/ssl-wildcard-certificate-san-to-match-multiple-specific-subdomains-of-wildcard . And 3.2.2.4.* and 3.2.2.6 of the Baseline Requirements at https://cabforum.org/ although technically cabforum controls only the Web, not all communication protocols.

This is why when StackExchange went HTTPS a few years ago, they had to move the 'meta' pages from the old scheme something.stackexchange.com and meta.something.stackexchange.com, another.stackexchange.com and meta.another.stackexchange.com, etc. to {something,another,etc}.meta.stackexchange.com so they can all be covered by one wildcard SAN entry *.meta.stackexchange.com in the cert while the non-metas are covered by *.stackexchange.com. If you look you can probably still find the (many) Qs and posts about all the problems involved in this.

Second, you can't get a cert from LetsEncrypt (i.e.. certbot) or any other public CA for a wildcard directly under a TLD, or more exactly any domain that is a registry so that its subdomains are (always) owned by many different people -- see again the Baseline Requirements and https://publicsuffix.org/ . This is to prevent you from being able to fraudulently impersonate nearly every site/system in the world.

Community
  • 1
  • 1
dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • thanks , but my prolem is that i m providing white lalel to our coustomer and they can point our cname to get host but we r not able to provide ssl but we r able to provde host via canme – Kamlesh Paul Jul 09 '20 at 05:04
  • 1
    Then you can't do that with a wildcard. You must either use multiple certs, or one cert (or a few) with multiple SAN; LE and certbot support both (SAN up to 100 currently). If you use multiple SAN, users who connect to one of your sites will see in the cert (some of) the other sites you support, which may be a privacy issue for you and/or your customer(s). (For example looking at this site's cert you can see Stack also supports askubuntu, serverfault, etc -- but the box at the bottom of the page already _advertises_ those other sites.) – dave_thompson_085 Jul 10 '20 at 16:03