I have an NGINX server where I am trying to add SSL using Let's Encrypt .
My development settings are as follows:
url : dev.domain.in
root: /var/www/dev/html
The Production is as follows:
url : domain.in
root: /var/www/production/html
So in my nginx default page I have two server blocks one for development and another for production
I want to give one certificate for both the servers.
I know according to the Let's Encrypt website the command is as follows
cd /opt/letsencrypt ./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d example.com -d www.example.com
But this can be done only if the SUBDOMAIN has the same webroot which not true in my case.
So how I can add the CERT for both here
Please help me out
Yes, that's perfectly possible. Let's Encrypt doesn't make any difference between a subdomain or not (www. ~ is a subdomain too).
SSL certificates can be of many types including single domain SSL, multi domain SSL, wildcard SSL, etc. SSL certificates can secure main domains, subdomains, and multi-level domains.
Do You Need SSL For Subdomain. If you are asking whether you need SSL for a subdomain, the answer is yes. An SSL certificate authenticates your identity and establishes a secure communication channel between the client and the website.
I use a common webroot across all of my virtual hosts on my nginx box.
/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \
-d example.com,www.example.com
... and in nginx I have snippets/letsencrypt.conf
:
location ~ /.well-known {
root /srv/www/letsencrypt;
allow all;
}
... which gets included in my server block for each site.
The files in the .well-known directory are temporary - they only exist for long enough for the authorisation process to complete and are then removed.
Once registration is successful, I then include the certificate definition in the server block via include ssl/example.com.conf;
where that file contains the following:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
... along with the relevant listen directives to enable SSL on port 443.
You can include the same definition in multiple server blocks.
I have additional subdomains as SANs in my certificate as well and I have separate server blocks for example.com
, www.example.com
and also other subdomains like click.example.com
- all using the same certificate.
Let´s Encrypt webroot method uses a file on your webroot directory named ".well-known/acme-challenge". You can configure a location snippet on your dev and main server to point to another webroot just for this file.
Something like:
location /.well-known/acme-challenge {
alias /etc/letsencrypt/webrootauth/.well-known/acme-challenge;
location ~ /.well-known/acme-challenge/(.*) {
add_header Content-Type application/jose+json;
}
}
And point your webroot as --webroot-path /etc/letsencrypt/webrootauth
This discussion can help
Or you can use standalone method and do some work by hand.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With