How to issue SSL to client Domain Via CNAME Records

Hello, we have a Laravel App in which we offer whitelablel to our clients. We ask them to add a Cname subdomain record to their domain for whitelabel. Now, we are also willing to make sure that the subdomain they are pointing to us have a VALID SSL Certificate.

We are using certbot to get ssl for may domain and my subdomain. Now, the main challenge is that we need to provide ssl to client’s subdomain.

Here is the code we tried:

server {

listen 80 default_server;
listen [::]:80 default_server;
if ($scheme != "https") {
    return 301 https://$host$request_uri;
} # managed by Certbot


server {

listen 443 ssl default_server;
listen [::]:433 ssl default_server;

root /var/www/html/larryville/public;

ssl_certificate  /etc/letsencrypt/live/press.*.com/fullchain.pem; // this i need to generate
ssl_certificate_key /etc/letsencrypt/live/press.*.com/privkey.pem;

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

index index.html index.htm index.php;

charset utf-8;

location / {
    try_files $uri $uri/ /index.php?$query_string;

location = /favicon.ico { access_log off; log_not_found off; }

error_page 404 /index.php;

location ~ \.php$ {
    fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    include fastcgi_params;
    fastcgi_read_timeout 300;

location ~ /\.(?!well-known).* {
    deny all;


We need SSL for subdomains like

My hosting provider is: Amazon Web Services EC2
Operating System: Ubuntu 20
We are running on Nginx

The version of certbot is: certbot 0.40.0

Thanks in Advance :smile:

1 Like

And you’re running into… what issue exactly?

1 Like

Hey @Osiris, I am willing to achieve this:
ssl_certificate /etc/letsencrypt/live/press.*.com/fullchain.pem; // this i need to generate

Is this possible with what I am doing?


You cannot generate a certificate with a wildcard domain like press.*.com.

A wildcard domain is only valid if the wildcard label appears as the very first label in the domain, i.e. * only.


Hey @_az
Thanks for clarification. Do you have any suggestion as to what we could use?
Maybe we can verify their subdomain via cname record?

The usual approach is that they CNAME a domain to you, and then you automatically issue one certificate per customer domain and automatically generate a virtualhost for it in your webserver.

This takes a bit of development work, as you can imagine.

If you want to avoid some of that development work, you could use a webserver such as Caddy, which features something called “On-Demand TLS” (

Hypothetically: you could enable that feature, and when one of your customers points to your server, then visits that domain, Caddy would automatically acquire and use a certificate for Then you just have Caddy proxy to your normal webserver. Boom, white label domains for everyone! YMMV, make sure to take note of the whitelisting advice in the above link.


Hey @_az Thank you so much for helping. :blush:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.