Configure Nginx with a Wildcard SSL Certificate (Let´s Encrypt)
An SSL certificate for www.domain.com does not automatically work for blog.domain.com unless it is explicitly designed to do so. There are different types of SSL certificates, and each type covers different domain configurations.
Types of SSL Certificates
Single Domain SSL Certificate:
- This certificate covers only one specific domain, such as
www.domain.com. - It does not cover subdomains like
blog.domain.comorapi.domain.com.
Wildcard SSL Certificate:
- This certificate covers a domain and all its subdomains.
- Example: A wildcard certificate for
*.domain.comwill coverwww.domain.com,blog.domain.com,api.domain.com, etc. - It does not cover
domain.comitself unless explicitly specified.
Multi-Domain SSL Certificate (SAN Certificate):
- This certificate can cover multiple domains and subdomains specified during the purchase.
- Example: It can cover
www.domain.com,blog.domain.com,otherdomain.com, and more, depending on the SAN (Subject Alternative Name) entries.
Example Scenarios
Single Domain SSL Certificate:
- If you have an SSL certificate for
www.domain.com, it will not coverblog.domain.com. - You will need a separate certificate for
blog.domain.comor a wildcard certificate.
Wildcard SSL Certificate:
- If you have a wildcard SSL certificate for
*.domain.com, it will cover bothwww.domain.comandblog.domain.com.
Multi-Domain SSL Certificate:
- If you have a SAN certificate, you can specify multiple domains and subdomains like
www.domain.com,blog.domain.com, and others when configuring the certificate.
Obtaining a Wildcard SSL Certificate with Let’s Encrypt
Let’s Encrypt supports wildcard certificates. Here is how you can obtain one using Certbot.
Install Certbot:
sudo apt update
sudo apt install certbot python3-certbot-nginxObtain a Wildcard Certificate: You will need to use DNS-01 challenge to prove ownership of the domain.
sudo certbot certonly --manual --preferred-challenges dns -d "*.domain.com" -d "domain.com"
Follow the instructions to add a DNS TXT record for domain verification.
Configure Nginx for SSL: Edit your Nginx configuration file for www.domain.com and blog.domain.com to use the wildcard certificate.
Example configuration:
server {
listen 80;
server_name www.domain.com blog.domain.com;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name www.domain.com;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443 ssl;
server_name blog.domain.com;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://127.0.0.1:5001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}Test and Restart Nginx:
sudo nginx -t
sudo systemctl restart nginxSummary
- An SSL certificate for
www.domain.comdoes not coverblog.domain.comunless it is a wildcard certificate. - Use a wildcard SSL certificate to cover a domain and all its subdomains.
- Multi-domain (SAN) certificates can also cover specific subdomains if configured correctly.
- Let’s Encrypt supports wildcard certificates using DNS-01 challenge.
