How to issue SSL to client Domain Via CNAME Records

alex02000 · July 10, 2020, 5:44am

Hello, we have a Laravel App in which we offer whitelablel to our clients. We ask them to add a Cname subdomain record to their domain for whitelabel. Now, we are also willing to make sure that the subdomain they are pointing to us have a VALID SSL Certificate.

We are using certbot to get ssl for may domain and my subdomain. Now, the main challenge is that we need to provide ssl to client’s subdomain.

Here is the code we tried:

server {

listen 80 default_server;
listen [::]:80 default_server;
if ($scheme != "https") {
    return 301 https://$host$request_uri;
} # managed by Certbot

}

server {

listen 443 ssl default_server;
listen [::]:433 ssl default_server;

root /var/www/html/larryville/public;

ssl_certificate  /etc/letsencrypt/live/press.*.com/fullchain.pem; // this i need to generate
ssl_certificate_key /etc/letsencrypt/live/press.*.com/privkey.pem;

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

index index.html index.htm index.php;

charset utf-8;

location / {
    try_files $uri $uri/ /index.php?$query_string;
}

location = /favicon.ico { access_log off; log_not_found off; }

error_page 404 /index.php;

location ~ \.php$ {
    fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    include fastcgi_params;
    fastcgi_read_timeout 300;
}

location ~ /\.(?!well-known).* {
    deny all;
}

}

We need SSL for subdomains like sub.domainName.com

My hosting provider is: Amazon Web Services EC2
Operating System: Ubuntu 20
We are running on Nginx

The version of certbot is: certbot 0.40.0

Thanks in Advance

Osiris · July 10, 2020, 5:51am

And you’re running into… what issue exactly?

alex02000 · July 10, 2020, 5:54am

Hey @Osiris, I am willing to achieve this:
ssl_certificate /etc/letsencrypt/live/press.*.com/fullchain.pem; // this i need to generate

Is this possible with what I am doing?

Thanks

_az · July 10, 2020, 6:04am

You cannot generate a certificate with a wildcard domain like press.*.com.

A wildcard domain is only valid if the wildcard label appears as the very first label in the domain, i.e. *.press.com only.

alex02000 · July 10, 2020, 6:06am

Hey @_az
Thanks for clarification. Do you have any suggestion as to what we could use?
Maybe we can verify their subdomain via cname record?

_az · July 10, 2020, 6:12am

The usual approach is that they CNAME a domain to you, and then you automatically issue one certificate per customer domain and automatically generate a virtualhost for it in your webserver.

This takes a bit of development work, as you can imagine.

If you want to avoid some of that development work, you could use a webserver such as Caddy, which features something called “On-Demand TLS” (https://caddyserver.com/docs/automatic-https#on-demand-tls).

Hypothetically: you could enable that feature, and when one of your customers points press.example.com to your server, then visits that domain, Caddy would automatically acquire and use a certificate for press.example.com. Then you just have Caddy proxy to your normal webserver. Boom, white label domains for everyone! YMMV, make sure to take note of the whitelisting advice in the above link.

alex02000 · July 10, 2020, 6:33am

Hey @_az Thank you so much for helping.

system · August 9, 2020, 6:33am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.