CNAME Domain Forwarding and Let’s Encrypt SSL Certificates with Nginx

a-recordcname-recordlets-encryptnginx

I have 5 domains viz.

main.com
sub1.com
sub2.com
sub3.com
sub4.com

I have pointed the CNAME records of

sub1.com to sub1.main.com
sub2.com to sub2.main.com
sub3.com to sub3.main.com
sub4.com to sub4.main.com

And these are working as it suppose to even following the paths.

Yesterday I have installed Letsencrypt Wildcard SSL certificate for *.main.com and it also works pretty smoothly.

The question is: sub1.com, sub2.com,sub3.com and sub4.com also need SSL certificates and I thought as sub1.main.com sub2.main.com sub3.main.com and sub4.main.com have a valid SSL certificate and CNAME is mapped as shown above and hence the SSL certificates would work for sub1.com, sub2.com,sub3.com and sub4.com as well but unfortunately isn't.

Where am I going wrong in my assumption ? What can be the proposed solution to my query of having SSL certificates for sub1.com, sub2.com,sub3.com and sub4.com which has a CNAME pointed to main.com ?

Note: I can change CNAME or the A record of sub1.com, sub2.com,sub3.com and sub4.com if required.

Best Answer

You NEED to have certificate for the hostname shown in the address bar. This is a feature of the HTTP(S) protocol. Therefore, it doesn't matter whether you use CNAME or A in DNS. The web server is only aware of the Host: header and the hostname sent during the SNI negotiation. Your web server needs to be aware of that hostname in both virtualhost and SSL configuration.

Related Solutions

Apache – Fix Issue with CNAME and Virtual Hosts

Though you have CNAME record to point sub2.sub1.domain1.com to the correct server, apache server maybe serving multiple website.

When a http request come in, apache check the URL against ServerName to determine which website to serve out. Should there be any additional name pointing to the same website, you put them in ServerAlias.

In your httpd.conf, you have to add ServerAlias for sub2.sub1.domain1.com

<VirtualHost *:80>
    ServerName sub1.domain.com
    ServerAlias sub2.sub1.domain1.com
    DocumentRoot /domain1/sub1/www
</VirtualHost>

Additionally, the first VirtualHost declaration in httpd.conf is used as the default. When a http request comes in and doesn't match any ServerName and ServerAlias, the default site is serve out.

Nginx – Two domains, two SSL certificates, one IP

If you are referring to other SSL settings than certificate / key, I would advice you to move their configuration to the http level in nginx configuration.

This way the settings will be inherited to every server block.

For example, in Debian and derivatives you can create /etc/nginx/conf.d/ssl.conf file, where you put these lines:

ssl_session_cache    shared:SSL:10m;
ssl_session_timeout  10m;

# Perfect Forward Security
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4";

The files inside conf.d are included in the http level.

default_server approach doesn't work here.

After this, the server blocks would look like this:

server {
    listen 443 default_server ssl;
    server_name _;

    ssl_certificate /path/to/certificate;
    ssl_certificate_key /path/to/key;
}

And, if you want to override some settings for some domains, then you can re-enter the directives in the server level.

Best Answer

Related Solutions

Apache – Fix Issue with CNAME and Virtual Hosts

Nginx – Two domains, two SSL certificates, one IP

Related Topic