Nginx: setup ssl for only one sub domain, skip wildcard and others

fsf86 · November 28, 2017, 2:28pm

Hello,

I’m using nginx as a reverse proxy for multiple node.js services.

I have a landing page @ naked and www
I have a few other services running using predefined sub-domains
Everything else (wildcard) is handled by a web app (multi-tenant app…)

I would like to add ssl support for my landing page only.

I have separated my landing page to a different virtual host.

How do I take it from here?
Should I install python-certbot-nginx or another version?
How can I setup without disrupting my current config?

I’m worried that running the default sudo certbot --nginx would modify my config in such a way that it wouldn’t work anymore.

bytecamp · November 28, 2017, 2:33pm

There is a distinction between authenticator and installer. You may authenticate with the nginx-plugin but without certbot modifying any configuration at all.

Maybe the webroot-plugin suits your needs, too:
https://certbot.eff.org/docs/using.html#webroot

fsf86 · November 28, 2017, 2:56pm

@bytecamp Thanks for the tip

Even after reading the documentation, it’s unclear to me what certbot --nginx actually does
How can I run certbot --nginx to target only one virtual host and @ and www ?

fsf86 · November 28, 2017, 2:57pm

As for the webroot case I have the current config:

server {
    listen 80;

    server_name www.example.com example.com;
    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

How can I introduce the /.well-known so that it doesn’t 404?

bytecamp · November 28, 2017, 2:59pm

Just define a location-block which matches /.well-known/acme-challenge/ and point this to a real directory (root /path/to/directory).

There a plenty examples here, just search for it (I don’t use nginx).

In /path/to/directory you should then create the directories .well-known/acme-challenge.
certbot would then be invoked with --webroot -w /path/to/directory -d domain,www.domain

fsf86 · November 28, 2017, 3:37pm

Ok I’ve managed to make it work

Here’s how I configured my nginx

	server {
	    listen 80;
	
	    server_name www.example.com example.com;
			# Allow access to the letsencrypt ACME Challenge
			location ~ /\.well-known {
				allow all;
			}
	
	    location / {
	        proxy_pass http://localhost:3000;
	        # etc...
	    }
	}

and the command I ran was

sudo certbot certonly --webroot -w /usr/share/nginx/html/ -d www.example.com -d example.com

Notice that the default root in my case was /usr/share/nginx/html

system · December 28, 2017, 3:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.