Nginx, multiple domains, multiple certificates / wildcard certificate

Zyles · June 13, 2020, 5:51pm

Can someone point me to a guide for nginx to serve multiple domains and multiple certificates?

I can only find guides that tells you how to serve one domain.

In particular I issued a wildcard certificate *.server.com server.com but the browser says it is insecure. The cert in browser says “issued to *.server.com”

I have multiple virtualhosts in nginx with their own configuration and server blocks.

Basically like this:

# Redirect to HTTPS
server {
    if ($host = foo.bar.server.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;

    server_name foo.bar.server.com;
    return 301 https://foo.bar.server.com$request_uri;
}

server {
    listen 443 ssl http2;

    ssl on;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_certificate /etc/letsencrypt/live/server.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/server.com/privkey.pem; # managed by Certbot

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Change to corresponding location
    root /home/http/foo.bar.server.com/public;

    # Change virtual host if needed
    server_name foo.bar.server.com;
...
}

What part am I not understanding?

Do I need ONE certificate on the entire server containing EVERY single domain hosted by it?

Osiris · June 13, 2020, 6:00pm

I see in your nginx configuration you're using a subdomain two levels deep: foo.bar.server.com. Unfortunately, the wildcard in a wildcard certificate is only valid for one level.

I.e., if you have a cert for *.example.com that cert is only valid for bar.example.com, not foo.bar.example.com! If you want a (wildcard) cert valid for foo.bar.example.com too, you'd need a cert containing (among others possibly) *.bar.example.com. Note that you aren't allowed to use two wildcards in a wildcard certificate. I.e., *.*.example.com isn't allowed.

This aren't Let's Encrypt rules, but the rules every CA has to adhere to, the CA/Browser Forum Baseline Requirements.

Zyles · June 13, 2020, 6:05pm

Thank you. I extended the certificate to *.bar.server.com and it works.

system · July 14, 2020, 1:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Wildcard and Multidomain ssl certificate with nginx Server	10	7656	October 13, 2018
Wildcard certificate redirect subdomains to the first visited domains Help	22	982	August 8, 2021
Confused after installing WildCard certificate on two domains Help	13	104	December 3, 2024
Certificates for subdomains or Wildcards Help	15	3488	April 7, 2020
Will a wildcard cert conflict with a matching single cert? Server	5	1621	June 16, 2018

Nginx, multiple domains, multiple certificates / wildcard certificate

Related topics