Nginx, multiple domains, multiple certificates / wildcard certificate

Can someone point me to a guide for nginx to serve multiple domains and multiple certificates?

I can only find guides that tells you how to serve one domain.

In particular I issued a wildcard certificate *.server.com server.com but the browser says it is insecure. The cert in browser says “issued to *.server.com”

I have multiple virtualhosts in nginx with their own configuration and server blocks.

Basically like this:

# Redirect to HTTPS
server {
    if ($host = foo.bar.server.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;

    server_name foo.bar.server.com;
    return 301 https://foo.bar.server.com$request_uri;
}

server {
    listen 443 ssl http2;

    ssl on;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_certificate /etc/letsencrypt/live/server.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/server.com/privkey.pem; # managed by Certbot

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Change to corresponding location
    root /home/http/foo.bar.server.com/public;

    # Change virtual host if needed
    server_name foo.bar.server.com;
...
}

What part am I not understanding?

Do I need ONE certificate on the entire server containing EVERY single domain hosted by it?

1 Like

I see in your nginx configuration you’re using a subdomain two levels deep: foo.bar.server.com. Unfortunately, the wildcard in a wildcard certificate is only valid for one level.

I.e., if you have a cert for *.example.com that cert is only valid for bar.example.com, not foo.bar.example.com! If you want a (wildcard) cert valid for foo.bar.example.com too, you’d need a cert containing (among others possibly) *.bar.example.com. Note that you aren’t allowed to use two wildcards in a wildcard certificate. I.e., *.*.example.com isn’t allowed.

This aren’t Let’s Encrypt rules, but the rules every CA has to adhere to, the CA/Browser Forum Baseline Requirements.

1 Like

Thank you. I extended the certificate to *.bar.server.com and it works.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.