Nginx SSL with bare domain and wildcard

This is turning out to be an annoying problem that I'm hoping someone can help me with.

To start, I run my own CA, so I'm doing self-signed certs; I can do anything I need with them using openssl.

I have a domain, example.com, and a webserver running nginx, and I'm trying to set up a situation such that I redirect:

http://example.com -> http://www.example.com

and

httpS://example.com -> httpS://www.example.com

My problem isn't in getting nginx to do what I need there; it does, either with rewrites or redirects. Currently, I have a single server block with an if rewrite in it for simplicity (yea, if is evil, I know!). My problem is the SSL cert.

If I generate a normal, single-domain cert for "example.com", I get a cert error with "www.example.com". OK, so I'll make a wildcard for "*.example.com"! Except now I get a cert error for the bare domain. The reasons for this make sense to me, but I still want to combine these into one cert, and one nginx server block, if possible. So I tried making a CSR with subjectAltName of "DNS:example.com,DNS:*.example.com". But that doesn't seem to be working either: the bare domain works and redirects, but then as soon as I refresh, I get a strange cert error saying that "the certificate is only valid for example.com", while on inspection the CN is for "*.example.com".

Can anyone offer some advice on how to resolve this and create, as simply as possible, this full suite of redirects?

And yes, I know I could just ignore the https://example.com altogether, and only listen for SSL on www.example.com, but the perfectionist in me doesn't allow it; I want everything about this site to be completely agnostic to the SSL and work the exact same way with or without it, even this initial redirection!

Edit: nginx config:

server {
    listen                          80;
    listen                          [::]:80;
    listen                          443 ssl;
    listen                          [::]:443 ssl;
    root                            /var/www/example.com;
    index                           index.html index.htm;
    server_name                     www.example.com example.com;

    ssl_certificate                 /etc/ssl/sites/example.com.crt;
    ssl_certificate_key             /etc/ssl/sites/example.com.key;
    ssl_session_timeout             5m;
    ssl_protocols                   SSLv3 TLSv1;
    ssl_ciphers                     ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers       on;

    if ($http_host != "www*") {
             rewrite ^ $scheme://www.$http_host$request_uri permanent;
    }

    location / {
            try_files $uri $uri/ /index.html;
    }
}

Best Answer

The X.509 functionality you are looking for is called Subject Alternative Name (or SAN).

You can read more about it here: http://en.wikipedia.org/wiki/SubjectAltName

You can read about generating a certificate with this property here: https://library.linode.com/security/ssl-certificates/subject-alternate-names

Here is a configuration guide for nginx and SAN certificates: http://blog.simplytestable.com/using-a-multiple-domain-ucc-secure-certificate-with-nginx/

Best Answer

Related Solutions

Nginx has ssl module, but thinks it doesn’t

Nginx – Remove “www” and redirect to “https” with nginx

Related Topic