How to create a SAN certificate in nginx for sub-domains?

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: domain.com

I ran this command:

It produced this output:

My web server is (include version): ngnix 1.18

The operating system my web server runs on is (include version): ubuntu 20.04.1

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

i do not know the commands to make a SAN cert for 4 subdomains


login.domain.com
api.domain.com
listener.domain.com

my sequence to make SSL are

  1. cd /etc/nginx/sites-available

  2. in sites-available
    i create a file www.domain.com
    the file looks like this

server {
listen 80;
listen [::]:80;

server_name domain.com;

return 301 http://www.domain.com$request_uri;

}

server {
listen 80;
listen [::]:80;

server_name www.domain.com;

root /var/www/www.domain.com/;
client_max_body_size 100m;

access_log /var/log/nginx/www.domain.com-access.log;
error_log /var/log/nginx/www.domain.com-error.log;

index index.php index.html;

location ~ \.php$ {
    try_files $uri $uri/ /index.php?$args;
    fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
}

}

  1. cd /etc/nginx/sites-enabled/
    i link things
    ln -sf /etc/nginx/sites-available/www.domain.com www.domain.com

  2. certbot --nginx

2

You could add each of those domains in the relevant server_name in your configuration and Certbot would pick them up when you ran certbot --nginx.

You could alternatively ask Certbot to create a certificate with a certain list of domains:

certbot --nginx -d domain.com -d login.domain.com -d api.domain.com -d listener.domain.com
3

Thank you for your response.
Are your instructions above for a wildcard or SAN?
Will I need to do anything on the DNS side besides A Record with the subdomain name?

4

That's for a SAN certificate, yes.

For a wildcard you would do -d "*.example.com". Wildcards have some other complications: you have to use the DNS challenge. It's much easier and recommended to stick to SAN certificates if you can.

Nothing else. All you need is for the A record of each subdomain to point to your nginx server.

5

Thank you very much for your help.

6

After the certificates are made, what happens if in the future, I add a new subdomain
new.domain.com
What command would I run for the new subdomain?

7

One way is to first find your Certificate Name by running:

certbot certificates

Then run the command you originally used, but:

  • Include the new subdomain in the list of domains, and
  • Include the Certificate Name you found using --cert-name, so that Certbot knows you want to update the existing certificate

That might look something like:

certbot --nginx --cert-name domain.com \
-d domain.com -d login.domain.com -d api.domain.com -d listener.domain.com \
-d the-new-subdomain.domain.com

The only things that changed are --cert-name domain.com and -d the-new-subdomain.domain.com.