Wildcard cert serves base domain and all subdomains with same files


#1

I’m using Certbot wildcard cert for my base and subdomains.

After setup the certificate is valid for all of them. But when access base domain and all subdomains, I realise that now all of them serve same files which is belongs to the base domain. So it leads to base domain and all subdomains has same content.

I’m using Nginx. I already declare clearly where to serve file which each domain with ‘root’ directive.

Before this, I was using separate certificates for each domain, it was working fine, then I move to wildcard cert.

You can see the detail below.

Is there any one can help me. Thank you so much!


#2

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Also, what is the contents of the relevant nginx configuration files? Please post them in total.


#3

sorry for lacking of infomation:

my base domain is: https://jamesisme.com/

my subdomain is:https://webrtc.jamesisme.com/ (you can see it has same content with the base domain, but it has to be different)

the command when install wildcard cert: sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.jamesisme.com -d jamesisme.com --manual --preferred-challenges dns-01 certonly --agree-tos

my server: Ubuntu 16.04

I’m hosting it on Azure

certbot version: 0.31.0

domain manager using: Godaddy

My Nginx config file for the base domain:

server {
	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name *.jamesisme.com;

	location / {
		try_files $uri $uri/ =404;
	}


  listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/jamesisme.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/jamesisme.com/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
	listen 80;
	listen [::]:80;
  
	server_name *.jamesisme.com;
	return 301 https://$host$request_uri;
}

the config for the subdomain is quite same, just change ONLY the root to serve another content like this:

root /var/www/html/node_react_webrtc;

#4

I see you’ve manually installed the certificate. Was the above block the same before you installed the certificate? It probably wasn’t, because now it’s just the redirect :stuck_out_tongue: What exactly did you modify to install the certificate? What was the HTTP server block before you installed the certificate? Did it also contain the wild card server_name? Or just server_name jamesisme.com? Also, what is the contents of the configuration file for the subdomain(s)?


#5

Hi @maitrungduc1410

I see only the nginx standard page. In both cases - main domain and subdomain.


#7

Hi @JuergenAuer
yes, that is the problem I want to tell you. I don’t know why I already declare very clear which folder to serve file with the base domain and the subdomain. Their contents is totally different.

But when server is up. They serve same content (and the content you see is belong to the base domain, have no idea why it serve same with the subdomain)


#8

What says

nginx -T

#9

Hi @Osiris,

The only thing different between those 2 domains is the line

root /var/www/html/node_react_webrtc; # this is for the subdomain

#10

Hi @JuergenAuer

Ohhhh, I notice it said this:

Do you have any idea?


#11

You have defined a lot of different vHosts with the same server name. So nginx doesn’t know which is used.

That’s the problem.

If you have a wildcard server name, that conflicts with a subdomain-server name.


#12

You didn’t answer all my questions.


#13

Hi @Osiris,

when create any domain I use server block file, which is the copy of this. then change the root and server_name

The block you said is just for redirect http to https. Nothing else. I tried delete them and nothing changed


#14

Dear @JuergenAuer,

can you explain me more about what is wilecard server name,…

Thank you


#15

According to the server_name documentation, it should not matter if there is a wild card server_name besides an exact server_name entry. The latter should be used.

@maitrungduc1410 Please post all the relevant nginx configuration files, as requested earlier. We’re pretty much guessing until you do so.


#16

Hi @Osiris,
Here is the full nginx configuration for those 2 domains:
jamesisme.com

server {
   root /var/www/html;

   index index.html index.htm index.nginx-debian.html;

   server_name *.jamesisme.com;

   location / {
   	try_files $uri $uri/ =404;
   }


 listen [::]:443 ssl ipv6only=on; # managed by Certbot
 listen 443 ssl; # managed by Certbot
 ssl_certificate /etc/letsencrypt/live/jamesisme.com/fullchain.pem; # managed by Certbot
 ssl_certificate_key /etc/letsencrypt/live/jamesisme.com/privkey.pem; # managed by Certbot
 include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
 ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
   listen 80;
   listen [::]:80;
 
   server_name *.jamesisme.com;
   return 301 https://$host$request_uri;
}

And webrtc.jamesisme.com:

server {
  root /var/www/html/node_react_webrtc;

  server_name *.jamesisme.com;
	
	more_clear_headers Server; # from nginx-extras, to disable server info in response to client
	server_tokens off; # from nginx-extras, to disable server info in response to client

	location / {
		proxy_pass http://localhost:3000;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection 'upgrade';
		proxy_set_header Host $host;
		proxy_cache_bypass $http_upgrade;
	}	

  listen [::]:443 ssl; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/jamesisme.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/jamesisme.com/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
  listen 80;
  listen [::]:80;

  server_name *.jamesisme.com;
  return 301 https://$host$request_uri;
}

Oop, sorry, a more little bit difference is the location (this is for nodejs app)


#17

Thats the same server_name as the server block before?!? So you have two (actually four, but let’s say two) server blocks with different roots but the same server_name directives and expect your nginx to magically know which one to use?


#19

Thanks @Osiris and @JuergenAuer, You guys just helped me realise so much.

I just change the server_name to match exactly with the domain I use, not use same wildcard for both. Because I looked at this tutorial on medium and config like them :slight_smile:
for example:
for domain webrtc.jamesisme.com:
change from server_name *.jamesisme.com to server_name webrtc.jamesisme.com

It works now.

Thank you!


#20

Happy to read that.

nginx -T

shouldn’t show warnings.


#21

#22