Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to add certificate for sub-domain using Lets Encrypt

I have an NGINX server where I am trying to add SSL using Let's Encrypt .

My development settings are as follows:

url : dev.domain.in
root: /var/www/dev/html

The Production is as follows:

url : domain.in
root: /var/www/production/html

So in my nginx default page I have two server blocks one for development and another for production

I want to give one certificate for both the servers.

I know according to the Let's Encrypt website the command is as follows

cd /opt/letsencrypt ./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d example.com -d www.example.com

But this can be done only if the SUBDOMAIN has the same webroot which not true in my case.

So how I can add the CERT for both here

Please help me out

like image 230
Vikram Anand Bhushan Avatar asked Apr 17 '16 09:04

Vikram Anand Bhushan


People also ask

Does LetsEncrypt support subdomains?

Yes, that's perfectly possible. Let's Encrypt doesn't make any difference between a subdomain or not (www. ~ is a subdomain too).

Does certificate work for subdomains?

SSL certificates can be of many types including single domain SSL, multi domain SSL, wildcard SSL, etc. SSL certificates can secure main domains, subdomains, and multi-level domains.

Do you need a new SSL certificate for a subdomain?

Do You Need SSL For Subdomain. If you are asking whether you need SSL for a subdomain, the answer is yes. An SSL certificate authenticates your identity and establishes a secure communication channel between the client and the website.


2 Answers

I use a common webroot across all of my virtual hosts on my nginx box.

/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \
-d example.com,www.example.com

... and in nginx I have snippets/letsencrypt.conf:

location ~ /.well-known {
    root /srv/www/letsencrypt;
    allow all;
}

... which gets included in my server block for each site.

The files in the .well-known directory are temporary - they only exist for long enough for the authorisation process to complete and are then removed.

Once registration is successful, I then include the certificate definition in the server block via include ssl/example.com.conf; where that file contains the following:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

... along with the relevant listen directives to enable SSL on port 443.

You can include the same definition in multiple server blocks.

I have additional subdomains as SANs in my certificate as well and I have separate server blocks for example.com, www.example.com and also other subdomains like click.example.com - all using the same certificate.

like image 111
Simon Hampel Avatar answered Sep 25 '22 01:09

Simon Hampel


Let´s Encrypt webroot method uses a file on your webroot directory named ".well-known/acme-challenge". You can configure a location snippet on your dev and main server to point to another webroot just for this file.

Something like:

   location /.well-known/acme-challenge {
        alias /etc/letsencrypt/webrootauth/.well-known/acme-challenge;
        location ~ /.well-known/acme-challenge/(.*) {
            add_header Content-Type application/jose+json;
        }
    }

And point your webroot as --webroot-path /etc/letsencrypt/webrootauth

This discussion can help

Or you can use standalone method and do some work by hand.

like image 42
JrBenito Avatar answered Sep 22 '22 01:09

JrBenito