Let's encrypt does not work with `www`. I have few domains on same server


#1

So I am trying to investigate why my SSL doesn’t work with www. It resolve perfectly as non-www, check yourself:

My website
https://hustlerbundle.com - works
https://www.hustlerbundle.com - doesn’t work :frowning:

Now, a bit of background:
I keep few domains under same IP - I use one Digital Ocean droplet/server and hustlerbundle.com isn’t my main domain. My main domain is https://focusasia.xyz and this one works perfectly (I issued Let’s Encrypt certificate for it first). None of the domains I issued cert for after my “mother” domain work (I have few of them).

The command I used to issue cert is always the same (I followed this guide):

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com

(of course I replace above command with my own path and domain)

This is my NGINX file for hustlerbundle.com. It’s pretty much same for every domain I have (of course I replace domain info etc):
(behaviour I want is to redirect all hits to https and non-www, no matter what user type in browser)

server {
    listen 80;
    listen [::]:80;
    server_name www.hustlerbundle.com hustlerbundle.com;
    return 301 https://hustlerbundle.com$request_uri;

}

server {
        listen 443;
        server_name www.hustlerbundle.com;
        return 301 https://hustlerbundle.com$request_uri;
}


server {

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name hustlerbundle.com;

    root /home/hustler/www/hustlerbundle.com;
    index index.html index.php;

    access_log  /var/log/nginx/hustlerbundle.com.access.log;
    error_log   /var/log/nginx/hustlerbundle.com.error.log;

    error_page 401 403 404 /404.html;
    charset utf-8;

    include snippets/ssl-hustlerbundle.com.conf;
    include snippets/ssl-params.conf;

    location ~ /.well-known {
       allow all;
    }

    location / {
      try_files $uri $uri/ /index.html /index.php;
    }

    #location ~* \.html$ {
    #    expires -1;
    #}

    location ~* \.(css|js|gif|jpe?g|png|ico)$ {
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    }

    location ~*  \.(pdf)$ {
        expires 30d;
    }

    ## Begin - Security
    # deny all direct access for these folders
    location ~* /(.git|cache|bin|logs|backups|tests)/.*$ {
        return 403;
    }


    ## Begin - PHP
    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php-fpm-hustler.sock;
        # fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        #fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        fastcgi_intercept_errors off;
        fastcgi_buffer_size 16k;
        fastcgi_buffers 4 16k;
    }
    ## End - PHP

    gzip on;
    gzip_http_version 1.1;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_proxied any;
    gzip_types application/atom+xml
               application/javascript
               application/json
               application/vnd.ms-fontobject
               application/x-font-ttf
               application/x-web-app-manifest+json
               application/xhtml+xml
               application/xml
               font/opentype
               image/svg+xml
               image/x-icon
               text/css
               text/plain
               text/xml;
    gzip_buffers 16 8k;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

}

File snippets/ssl-hustlerbundle.com.conf; includes:

ssl_certificate /etc/letsencrypt/live/hustlerbundle.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hustlerbundle.com/privkey.pem;

File snippets/ssl-params.conf includes:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "XXXXX+XXXXXX:EDH+XXXXXX:AES256+XXXXX:AES256+XXX";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

Is my config wrong? Or the way I issued those certs is not correct?

Help!


#2

Hello @devspeaking,

I’m leaving right now so I can’t extend my answer but this part is not correct:

If you want to redirect https://www.hustlerbundle.com you should enable ssl for that part too.

Sorry, but as I said I’m in a hurry now :frowning:

Cheers,
sahsanu


#3

The certificate sent from hustlerbundle.com is fine and would also work if served up from www.hustlerbundle.com, so definitely just a configuration problem.


#4

Well, if that’s the case, why https://www.focusasia.xyz with pretty much same config works just fine (my “mother” domain on this server). Here is the config for it:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name www.focusasia.xyz focusasia.xyz;
    return 301 https://focusasia.xyz$request_uri;

}


server {
        listen 443;
        server_name www.focusasia.xyz;
        return 301 https://focusasia.xyz$request_uri;
}


server {

    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    server_name focusasia.xyz;

    root /home/destiny/www/focusasia.site;
    index index.html index.php;

    access_log  /var/log/nginx/focusasia.site.access.log;
    error_log   /var/log/nginx/focusasia.site.error.log;

    error_page 401 403 404 /404.html;
    charset utf-8;

    include snippets/ssl-focusasia.xyz.conf;
    include snippets/ssl-params.conf;

        location ~ /discuss/(.*) {
                return 301 https://focusasia.xyz/ask/$1;
        }

    location ~ /.well-known {
       allow all;
    }

   ### REST OF CONFIG FILE HERE....

#5

Because focusasia.xyz is the default SSL cert for your server IP. So when you go to https:/www.focusasia.xyz you get the correct cert, and it can follow the redirect

$ curl -I https://www.focusasia.xyz
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 18 Oct 2016 14:49:13 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://focusasia.xyz/
Strict-Transport-Security: max-age=15768000; includeSubDomains: always;

Wheras when going to https://www.hustlerbundle.com you will get the wrong cert - so the browser will fail at that point

$ curl -I https://www.hustlerbundle.com
curl: (51) SSL: certificate subject name (focusasia.xyz) does not match target host name 'www.hustlerbundle.com'

#6

I am not an nginx expert, but I think the focusaisa site’s default_server setting is compensating for a mistake in the configuration. I believe @sahsanu has it right, and the configuration should not say to listen on port 443 for the name with www at the start, without also saying that on this port the protocol is SSL or HTTP2, not plaintext HTTP.


#7

Thanks for answers @tialaramex, @serverco

Got it now :slight_smile:

So what should I adjust in my config file keeping in mind that I always want to redirect to non-www and https? Completely remove this section from all the domains config files except focusasia's config?

#BEGINNING OF CONFIG [...]

server {
        listen 443;
        server_name www.hustlerbundle.com;
        return 301 https://hustlerbundle.com$request_uri;
}

# REST OF CONFIG [...]

#8

Hello @devspeaking,

You need to add the ssl part, I don’t know what are the contents of your include directives but should work for both, hustlerbundle.com and www.hustlerbundle.com.

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name www.hustlerbundle.com;
        return 301 https://hustlerbundle.com$request_uri;
        include snippets/ssl-hustlerbundle.com.conf;
        include snippets/ssl-params.conf;
}

Edit: Changed the domain name on first include.

Cheers,
sahsanu


#9

Works! :tada: :tada: :tada: Thank you so much everyone! (virtual beer :beers: )

This is how my config looks like after modifications (just in case if someone is having similar problem):

server {
    listen 80;
    listen [::]:80;
    server_name www.hustlerbundle.com hustlerbundle.com;
    return 301 https://hustlerbundle.com$request_uri;

}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.hustlerbundle.com;
    return 301 https://hustlerbundle.com$request_uri;
    include snippets/ssl-hustlerbundle.com.conf;
    include snippets/ssl-params.conf;
}

server {

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name hustlerbundle.com;

    root /home/hustler/www/hustlerbundle.com;
    index index.html index.php;

    access_log  /var/log/nginx/hustlerbundle.com.access.log;
    error_log   /var/log/nginx/hustlerbundle.com.error.log;

    error_page 401 403 404 /404.html;
    charset utf-8;

    include snippets/ssl-hustlerbundle.com.conf;
    include snippets/ssl-params.conf;

    location ~ /.well-known {
       allow all;
    }

   ### REST OF THE CONFIG...

P.S. I shared content of my includes in my first post :slight_smile:


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.