This is turning out to be an annoying problem that I'm hoping someone can help me with.
To start, I run my own CA, so I'm doing self-signed certs; I can do anything I need with them using openssl.
I have a domain, example.com, and a webserver running nginx, and I'm trying to set up a situation such that I redirect:
http://example.com -> http://www.example.com
and
httpS://example.com -> httpS://www.example.com
My problem isn't in getting nginx to do what I need there; it does, either with rewrites or redirects. Currently, I have a single server block with an if rewrite in it for simplicity (yea, if is evil, I know!). My problem is the SSL cert.
If I generate a normal, single-domain cert for "example.com", I get a cert error with "www.example.com". OK, so I'll make a wildcard for "*.example.com"! Except now I get a cert error for the bare domain. The reasons for this make sense to me, but I still want to combine these into one cert, and one nginx server block, if possible. So I tried making a CSR with subjectAltName of "DNS:example.com,DNS:*.example.com". But that doesn't seem to be working either: the bare domain works and redirects, but then as soon as I refresh, I get a strange cert error saying that "the certificate is only valid for example.com", while on inspection the CN is for "*.example.com".
Can anyone offer some advice on how to resolve this and create, as simply as possible, this full suite of redirects?
And yes, I know I could just ignore the https://example.com altogether, and only listen for SSL on www.example.com, but the perfectionist in me doesn't allow it; I want everything about this site to be completely agnostic to the SSL and work the exact same way with or without it, even this initial redirection!
Edit: nginx config:
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
root /var/www/example.com;
index index.html index.htm;
server_name www.example.com example.com;
ssl_certificate /etc/ssl/sites/example.com.crt;
ssl_certificate_key /etc/ssl/sites/example.com.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
if ($http_host != "www*") {
rewrite ^ $scheme://www.$http_host$request_uri permanent;
}
location / {
try_files $uri $uri/ /index.html;
}
}
Best Answer
The X.509 functionality you are looking for is called Subject Alternative Name (or SAN).
You can read more about it here: http://en.wikipedia.org/wiki/SubjectAltName
You can read about generating a certificate with this property here: https://library.linode.com/security/ssl-certificates/subject-alternate-names
Here is a configuration guide for nginx and SAN certificates: http://blog.simplytestable.com/using-a-multiple-domain-ucc-secure-certificate-with-nginx/