Configure Let's Encryp wildcard certificate, it seems to have no effect!


#1

The following is a rough configuration

/etc/nginx/nginx.conf
######################################################
server {
listen 80
server_name www.aaa.com;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;

  location / {
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass   https://www.aaa.com:443;
  }

}

server {
listen 80
server_name ktr.aaa.com;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;

  location / {
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass   https://ktr.aaa.com:443;
  }

}

/etx/nginx/vhost/www/aaa.conf
#################################################
server {
listen 443 ssl;
server_name www.aaa.com;

index        index.html index.htm index.php;
root         /webdata/com/www;

# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl on;
ssl_certificate         /etc/letsencrypt/live/aaa.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/aaa.com/privkey.pem;

}

/etx/nginx/vhost/ktr/aaa.conf
############################################
server {
listen 443 ssl;
server_name ktr.aaa.com;

index        index.html index.htm index.php;
root         /webdata/com/ktr;

# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl on;
ssl_certificate         /etc/letsencrypt/live/aaa.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/aaa.com/privkey.pem;

}

The result is a visit to www.aaa.com’s home page information displayed on the ktr.aaa.com URL. This is inconsistent with the display of rules in the configuration file!


#2

Hi @akrom,

Maybe it’s me but sorry I don’t understand the problem, could you please give us more details about what is the problem with the wildcard certificate?. Also, please, tell us the real domain name or it could be really hard to debug the issue.

Cheers,
sahsanu


#3

Heilongbo.com This is my domain name

Before using a single domain name, you can use the second-level domain name normally. Now you can’t access the second-level domain name by changing to a wildcard domain name.
The current problem is that the second-level domain name is automatically redirected to the first page of the first-level domain name. The first-level and second-level domain names are two different sites and are two different directories.


#4

Sorry but what is the second level domain?. I see that heliongbo.com and www.heliongbo.com are working as expected and both are covered by your certificate (which is covering heliongbo.com and *.heliongbo.com) and you are saying that the other domain ktr.heliongbo.com is redirecting to heliongbo.com?. Well ktr.heliongbo.com doesn’t have an A or AAAA record so maybe the real name is another one or it is not public available… anyway, I suppose your problem is not nginx but your apache conf, nginx is not listening on port 80 and making the redirections, it is an apache web server which is redirecting your domains from http to https so you should take a look to know what is the redirection configured for your second level domain…

Example:

  $ curl -IkL http://www.heilongbo.com   <----------- http request
HTTP/1.1 301 Moved Permanently
Server: apache   <--------------------------------- your apache web server
Date: Sat, 24 Mar 2018 15:50:13 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
Location: https://www.heilongbo.com/ <------------- redirecting to https

HTTP/2 200
server: nginx   <---------------------------------- your nginx server serving the https request
date: Sat, 24 Mar 2018 15:50:15 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
link: <https://www.heilongbo.com/wp-json/>; rel="https://api.w.org/"
strict-transport-security: max-age=15768000

Cheers,
sahsanu


#5

Does the wildcard certificate require SNI support from the server?


#6

Not necessarily if your server has enough IPs for each host. (SNI support depends on your server, instead of certificates)


#7

Also,

If you are trying to use Nginx(http/2) it’s not necessarily upgrading openssl on your server.
Just need to compile newest openssl with Nginx (not even needed to install on your system)


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.