我想为动态子域(将由 Web 应用程序模拟的域)配置带有通配符 LetsEncrypt 证书的 nginx。
目前我有以下“静态”域:
example.com
sso.example.com
根据用户内容,应用程序将模拟以下域:
anyname1.example.com
anyname2.example.com
...
{somename}.example.com
有以下 nginx 配置:
server {
server_name example.com;
access_log /var/log/nginx/example.com.access.log;
error_log /var/log/nginx/example.com.error.log;
root /var/www/html/example;
location / {
root /var/www/html/example;
index index.html index.htm;
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.html;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name example.com;
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80 ;
return 404; # managed by Certbot
}
server {
server_name *.example.com;
access_log /var/log/nginx/domains.example.com.access.log;
error_log /var/log/nginx/domains.example.com.error.log;
root /var/www/html/example;
location / {
root /var/www/html/example;
index index.html index.htm;
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.html;
}
# listen [::]:443 ssl ipv6only=on; # managed by Certbot
# listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name *.example.com;
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
# listen 80 ;
# listen [::]:80 ;
return 404; # managed by Certbot
}
server {
server_name sso.example.com;
access_log /var/log/nginx/sso.example.com.access.log;
error_log /var/log/nginx/sso.example.com.error.log;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_redirect http://127.0.0.1:8080 /;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
# listen [::]:443 ssl ipv6only=on; # managed by Certbot
# listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/sso.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sso.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = sso.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name sso.example.com;
listen 80 ;
listen [::]:80 ;
return 404; # managed by Certbot
}
动态子域的证书按以下方式生成:
certbot --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com --manual --preferred-challenges dns-01 certonly
现在,当我尝试访问任何子域时,我收到证书属于主域的错误。
我做错了什么以及如何解决?
答案1
这可能不是您的问题的答案,但却是我最近发现的最重要的事情。
我在我的网站上创建并使用了通配符子域名。后来我发现许多浏览器不考虑这个通配符 SSL 证书。
例如,Chrome(桌面版和 Android 应用程序)会抛出错误,指出它是“TOO_COMMON_CERT_NAME”
到目前为止,根据我的经验,我不建议使用通配符认证。为每个域/子域手动创建。你不会后悔的。