Two subdomains ONLY (NO main domain) - half working

I have everything up and running... But this is the situation.
I'm managing under DigitalOcean - NGINX two subdomains (and no domain, the domain is not in my hands).

I typed:
/usr/local/bin/certbot-auto --nginx

He asked me which domains manage: I replied both.

Now I have this situation:

1 certificate
both subdomains use same cert (see nginx extract at the end)

PROBLEM
If I open
https://subdomain-ONE.domain.com on Google Chrome
I stay on subdomain-ONE.domain.com - CORRECT

If I open
https://subdomain-TWO.domain.com on Google Chrome
I'm redirected to subdomain-ONE.domain.com - WRONG

Same happen with http://

If I use Google Chrome in incognito, no problem happen.

THOUGHTS
I thought can be the shared cert, that is named exactly after the first subdomain, to produce this mess.

QUESTIONS

1. May I run certbot-auto again, asking to manage only the second domain?
   How? I use the guided stepped interface, just as first time I used it? (I can modify nginx conf to look like subdomain-TWO is still using http)

2. certbot-auto renew
   will still work as well? Does it scan "live" folder to know what to renew?

Thank you to anyone can enlighten me.
Thank you really much,

NGINX EXTRACT

server {
charset utf-8;
server_name subdomain-ONE.domain.com;

#    listen 80;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/subdomain-ONE.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/subdomain-ONE.domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
charset utf-8;
server_name subdomain-TWO.domain.com;

#    listen 80;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/subdomain-ONE.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/subdomain-ONE.domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

You need to tell us the actual subdomains, so we can see how your server responds, and we also need to see the rest of your nginx config.

Thanks.
At the moment I’m keeping 80 AND 443
Posting 2 files

NGINX MAIN CONF

user  nginx;
worker_processes  auto;

# error_log  /var/log/nginx/error.log warn;

pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    # access_log  /var/log/nginx/access.log  main;

    access_log /dev/stdout;
    error_log /dev/stdout info;
    
    sendfile        on;

    client_body_in_file_only clean;
    client_body_buffer_size 32K;

    client_max_body_size 500M;
    send_timeout 600s;
    proxy_connect_timeout 3000s;
    proxy_read_timeout 3000s;

    #tcp_nopush     on;

    keepalive_timeout  65;

    gzip  on;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

}


stream {
    include /etc/nginx/streams/*;
}

NGINX /etc/nginx/sites-enabled/pngpsites;

# # # # # # # # # Chlorophyll

server {
    listen 80;
    charset utf-8;
    server_name  chlorophyll.pngp.it;

    location / {
        access_log        off;
        proxy_pass        http://chlorophyll_nginx_1:3000;
        proxy_redirect    off;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  Host $host;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Host $server_name;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/chlorophyll.pngp.it/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/chlorophyll.pngp.it/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


# # # # # # # # # PNGPTracker

server {
    listen 80;
    charset utf-8;
    server_name tracker.pngp.it;

    location / {
        access_log        off;
        proxy_pass        http://pngptracker_nginx_1:3000;
        proxy_redirect    off;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  Host $host;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Host $server_name;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/chlorophyll.pngp.it/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/chlorophyll.pngp.it/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


# # # # # # # # # Main NGINX

server {
  listen 80 default_server;
  charset utf-8;

  sendfile off;

  server_name "";
    location / {
        add_header Content-Type text/plain;
        return 200 'not here';
    }
}

please edit your post using ```pre before and ``` after your config file. (put a newline before and after)

Your domains have one problem. They redirect https to http. I haven’t noticed the cross-redirects you say there are.

BTW, what do you think about:

THOUGHTS
I thought can be the shared cert, that is named exactly after the first subdomain, to produce this mess.

QUESTIONS

1. May I run certbot-auto again, asking to manage only the second domain?
   How? I use the guided stepped interface, just as first time I used it? (I can modify nginx conf to look like subdomain-TWO is still using http)
2. certbot-auto renew

This redirect:

% curl -IL https://chlorophyll.pngp.it
HTTP/1.1 302 FOUND
Server: nginx/1.11.9
Date: Fri, 03 Apr 2020 21:39:39 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Cookie
Location: http://chlorophyll.pngp.it/accounts/login

HTTP/1.1 301 MOVED PERMANENTLY
Server: nginx/1.11.9
Date: Fri, 03 Apr 2020 21:39:39 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Location: http://chlorophyll.pngp.it/accounts/login/

HTTP/1.1 200 OK
Server: nginx/1.11.9
Date: Fri, 03 Apr 2020 21:39:39 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Cookie
Set-Cookie: csrftoken=Owp3e2xe8sovBv4amFT9gVAc6G5TYw7z; expires=Fri, 02-Apr-2021 21:39:39 GMT; Max-Age=31449600; Path=/

I think you should separate your server blocks for port 80 and 443, like this: (for each subdomain)

server {
  listen 80;
  listen [::]:80;

  server_name one.example.com;
  # let certbot put a redirect here with "certbot enhance --redirect"
}
server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name one.example.com;

  location / {
    # what you need, copy from current config
  }
  # certbot stuff here, copy from your current config
}

No, that's not the problem.

You can but it won't be useful.

I’m making the changes and name the file after your nickname…
Trying and reporting here.

I checked.
This is the application redirect.
Simply redirect from plain domain name to login address… but HTTP …
I dig more.

Thanks for the curl tip

Can you tell me how to split cert by the way?
To have one cert for each subdomain?

I mean the right way to proceed now that I have something working

You should not put the location block on port 80. Unless you want that website to be served unencrypted too.

Did you activate this config? Because I see no difference at all in responses from your server.

Maybe it’s the apps inside docker containers redirecting to http. (Try adding proxy_set_header X-Forwarded-Proto $scheme;)

You need to run certbot once per domain. But it won't help you with this issue.

proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;

Was that 9peppe, for sure!

Yes I want to keep both going until I’m ok with it
(need to test other applications that have to interact)

before putting proxy_redirect off you might want to read what it does. (you probably want it on)

https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect

Hi, sorry to have interrupted our “forum/chat”…
My baby was crying…

Thanks for pointing

proxy_redirect off;

in my case, because how is made the app behind,
should be the same how I switch it (btw was off and working).

Later I’ll give a try to separate the certs.
Now I know that is totally unrelated with my problem (thanks to you).

In case I need to separate the subdomains on different machines I prefer to have already different certs.

Certificates expire in 90 days, you can generate then on demand. There's probably no need to do that now.

You were right.
Was a redirect in the software.

The software produced http redirects despite my will

SECURE_PROXY_SSL_HEADER
https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header

was the solution for that

A BIG THANKS
for your help and time

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.