Load LE Certificate using Nginx Include


#1

We have nginx on Ubuntu 18.0.4 with a Laravel app. Server managed with Laravel Forge. We load data for custom domain names using this server block in the main config:

server {
    listen  80 default_server;
    listen  [::]:80 default_server;
    listen  443 default_server ssl http2;
    listen  [::]:443 default_server ssl http2;
    root /home/forge/app.com/current/public;

    ssl_certificate /etc/nginx/ssl/app.com/xxxxxx/server.crt;
    ssl_certificate_key /etc/nginx/ssl/app.com/xxxxx/server.key;

    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;
    
    charset utf-8;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/app.com/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
    
    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }
}

The SSL certificate loaded now in this server block is for the app domain and sub domains. Added for now to avoid errors. We need to load Let’s Encrypt SSL certificates for regular or custom domains.

Is it possible to grab the correctly generated LE SSL certificate from a directory using an include using an include like /etc/nginx/ssl/custom-domains/*;? Possible in a way that domain1.com loads domain1.com cert and domain.2.com domain2 certificate this way? Without using specific certificate name?


#2

Hi,

Nginx only allows one certificate per vHost, hense you’ll need to add each domain as separate vHost & apply for a certificate.

Or you could just use one certificate(However, it’s allowing one RSA & one ECC) and add all extra domains as SAN… (Like CloudFlare)
Take a look at this post …

Thank you


#3

What are RSA and ECC?

So if I have include /etc/nginx/ssl/custom-domains/* with certificates stored like

/etc/nginx/ssl/custom-domains/domain1.cert
/etc/nginx/ssl/custom-domains/domain1.key
/etc/nginx/ssl/custom-domains/domain2.cert
/etc/nginx/ssl/custom-domains/domain2.key

can’t I get the nginx include to grab the proper certificate with that include automagically?

P.S. Was just reading https://tighten.co/blog/serving-multiple-ssl-encrypted-domains-from-one-application-in-nginx :slight_smile:


#4

Take a look at this post: https://www.ssl247.com/kb/ssl-certificates/generalinformation/what-is-rsa-dsa-ecc

Nope… If you specify more than one certificate (not only it’s not possible since it need to use “sslcertificatefile” or something…) Even if it works, it will serve the last certificate or throw you an error message…

After all, each virtual host can only have one certificate specified.

Take a look at this nginx.org doc: http://nginx.org/en/docs/http/configuring_https_servers.html

Thank you


#5

OK, so perhaps I can then do an include to include configs… one per host loading the SSL certificate using include vhosts/*.conf;? Will mean the Laravel app will have to generate one config file per domain then. One config that loads a unique SSL certificate.

Thinking about this still. Perhaps I just need to remove this server block and have one generated per site in sites-available. Nginx should pick them up automatically I would think: https://serverfault.com/questions/707955/nginx-split-large-configuration-file


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.