使用通配符 LetsEncrypt 证书为子域配置 Nginx

使用通配符 LetsEncrypt 证书为子域配置 Nginx

我想为动态子域(将由 Web 应用程序模拟的域)配置带有通配符 LetsEncrypt 证书的 nginx。

目前我有以下“静态”域:

example.com
sso.example.com

根据用户内容,应用程序将模拟以下域:

anyname1.example.com
anyname2.example.com
...
{somename}.example.com

有以下 nginx 配置:

server {
        server_name example.com;

        access_log /var/log/nginx/example.com.access.log;
        error_log /var/log/nginx/example.com.error.log;

        root /var/www/html/example;

        location / {
                root /var/www/html/example;
                index index.html index.htm;

                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ /index.html;
        }

        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com-0001/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    server_name example.com;

    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80 ;

    return 404; # managed by Certbot
}

server {
        server_name *.example.com;

        access_log /var/log/nginx/domains.example.com.access.log;
        error_log /var/log/nginx/domains.example.com.error.log;

        root /var/www/html/example;

        location / {
                root /var/www/html/example;
                index index.html index.htm;

                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ /index.html;
        }

#       listen [::]:443 ssl ipv6only=on; # managed by Certbot
#       listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    server_name *.example.com;

    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

#    listen 80 ;
#    listen [::]:80 ;

    return 404; # managed by Certbot
}

server {
        server_name sso.example.com;

        access_log /var/log/nginx/sso.example.com.access.log;
        error_log /var/log/nginx/sso.example.com.error.log;

        location / {
            proxy_pass http://127.0.0.1:8080;                                                                                                                                                                                          
            proxy_redirect http://127.0.0.1:8080 /;
            proxy_set_header Host $host;                                                                                                                                                                                             
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;                                                                                                                                                             
            proxy_set_header X-Forwarded-Proto $scheme;                                                                                                                                                                              
            proxy_set_header X-Real-IP $remote_addr;
        }


#    listen [::]:443 ssl ipv6only=on; # managed by Certbot
#    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/sso.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/sso.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = sso.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name sso.example.com;

        listen 80 ;
        listen [::]:80 ;
    return 404; # managed by Certbot


}

动态子域的证书按以下方式生成:

certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com --manual --preferred-challenges dns-01 certonly

现在,当我尝试访问任何子域时,我收到证书属于主域的错误。

我做错了什么以及如何解决?

答案1

这可能不是您的问题的答案,但却是我最近发现的最重要的事情。

我在我的网站上创建并使用了通配符子域名。后来我发现许多浏览器不考虑这个通配符 SSL 证书。

例如,Chrome(桌面版和 Android 应用程序)会抛出错误,指出它是“TOO_COMMON_CERT_NAME”

到目前为止,根据我的经验,我不建议使用通配符认证。为每个域/子域手动创建。你不会后悔的。

相关内容