我有一个支持多个子域的 Web 应用程序,但我找不到正确的 nginx 设置来使证书正常工作。
我已经用这个命令创建了 certbot 证书
sudo certbot--服务器https://acme-v02.api.letsencrypt.org/directory-d *.example.com --manual --preferred-challenges dns-01 certonly
然后我继续将 fullchain.pem 和 privkey.pem 文件复制到 /etc/nginx/ssl/namesite-wildcard 目录。
这是我的 sites-available 目录中包含的 nginx 配置文件:
server {
server_name nameSite.com www.nameSite.com; //Main domain settings, not related to my problem
location / {
proxy_pass http://localhost:42069;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /api {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/nameSite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nameSite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server{
listen 443 ssl; //THIS is the tricky section
server_name *.nameSite.com;
location / {
proxy_pass http://localhost:42069;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
ssl_certificate /etc/nginx/ssl/nameSite-wildcard/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/nameSite-wildcard/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host ~ ^[^.]+\.nameSite\.com$) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = www.nameSite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = nameSite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80; server_name nameSite.com www.nameSite.com;
return 404; # managed by Certbot
}
我必须指出,主域是使用以下命令自动认证的:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
。
所以,最后,当我尝试浏览www.nameSite.com或 nameSite.com 所有内容都经过认证,但每当我尝试任何 *.nameSite.com 时,浏览器都会告诉我连接未加密。
感谢您的帮助。