Configure Nginx with a Wildcard SSL Certificate (Let´s Encrypt)
An SSL certificate for www.domain.com
does not automatically work for blog.domain.com
unless it is explicitly designed to do so. There are different types of SSL certificates, and each type covers different domain configurations.
Types of SSL Certificates
Single Domain SSL Certificate:
- This certificate covers only one specific domain, such as
www.domain.com
. - It does not cover subdomains like
blog.domain.com
orapi.domain.com
.
Wildcard SSL Certificate:
- This certificate covers a domain and all its subdomains.
- Example: A wildcard certificate for
*.domain.com
will coverwww.domain.com
,blog.domain.com
,api.domain.com
, etc. - It does not cover
domain.com
itself unless explicitly specified.
Multi-Domain SSL Certificate (SAN Certificate):
- This certificate can cover multiple domains and subdomains specified during the purchase.
- Example: It can cover
www.domain.com
,blog.domain.com
,otherdomain.com
, and more, depending on the SAN (Subject Alternative Name) entries.
Example Scenarios
Single Domain SSL Certificate:
- If you have an SSL certificate for
www.domain.com
, it will not coverblog.domain.com
. - You will need a separate certificate for
blog.domain.com
or a wildcard certificate.
Wildcard SSL Certificate:
- If you have a wildcard SSL certificate for
*.domain.com
, it will cover bothwww.domain.com
andblog.domain.com
.
Multi-Domain SSL Certificate:
- If you have a SAN certificate, you can specify multiple domains and subdomains like
www.domain.com
,blog.domain.com
, and others when configuring the certificate.
Obtaining a Wildcard SSL Certificate with Let’s Encrypt
Let’s Encrypt supports wildcard certificates. Here is how you can obtain one using Certbot.
Install Certbot:
sudo apt update
sudo apt install certbot python3-certbot-nginx
Obtain a Wildcard Certificate: You will need to use DNS-01 challenge to prove ownership of the domain.
sudo certbot certonly --manual --preferred-challenges dns -d "*.domain.com" -d "domain.com"
Follow the instructions to add a DNS TXT record for domain verification.
Configure Nginx for SSL: Edit your Nginx configuration file for www.domain.com
and blog.domain.com
to use the wildcard certificate.
Example configuration:
server {
listen 80;
server_name www.domain.com blog.domain.com;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name www.domain.com;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443 ssl;
server_name blog.domain.com;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://127.0.0.1:5001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Test and Restart Nginx:
sudo nginx -t
sudo systemctl restart nginx
Summary
- An SSL certificate for
www.domain.com
does not coverblog.domain.com
unless it is a wildcard certificate. - Use a wildcard SSL certificate to cover a domain and all its subdomains.
- Multi-domain (SAN) certificates can also cover specific subdomains if configured correctly.
- Let’s Encrypt supports wildcard certificates using DNS-01 challenge.