Nginx: setup ssl for only one sub domain, skip wildcard and others


I’m using nginx as a reverse proxy for multiple node.js services.

I have a landing page @ naked and www
I have a few other services running using predefined sub-domains
Everything else (wildcard) is handled by a web app (multi-tenant app…)

I would like to add ssl support for my landing page only.

I have separated my landing page to a different virtual host.

How do I take it from here?
Should I install python-certbot-nginx or another version?
How can I setup without disrupting my current config?

I’m worried that running the default sudo certbot --nginx would modify my config in such a way that it wouldn’t work anymore.

There is a distinction between authenticator and installer. You may authenticate with the nginx-plugin but without certbot modifying any configuration at all.

Maybe the webroot-plugin suits your needs, too:

@bytecamp Thanks for the tip

Even after reading the documentation, it’s unclear to me what certbot --nginx actually does
How can I run certbot --nginx to target only one virtual host and @ and www ?

As for the webroot case I have the current config:

server {
    listen 80;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;

How can I introduce the /.well-known so that it doesn’t 404?

Just define a location-block which matches /.well-known/acme-challenge/ and point this to a real directory (root /path/to/directory).

There a plenty examples here, just search for it (I don’t use nginx).

In /path/to/directory you should then create the directories .well-known/acme-challenge.
certbot would then be invoked with --webroot -w /path/to/directory -d domain,www.domain

Ok I’ve managed to make it work :slight_smile:

Here’s how I configured my nginx

	server {
	    listen 80;
			# Allow access to the letsencrypt ACME Challenge
			location ~ /\.well-known {
				allow all;
	    location / {
	        proxy_pass http://localhost:3000;
	        # etc...

and the command I ran was

sudo certbot certonly --webroot -w /usr/share/nginx/html/ -d -d

Notice that the default root in my case was /usr/share/nginx/html

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.