What's the proper way to use certbot for subdomains served via nginx?

Question

I figure I must be missing something, because every time I try to load content by hitting the subdomain in my browser, it says "not secure", even though I went through the steps that followed after running sudo certbot --nginx without error.

Here's my config file for the vhost:

server {                                                                                                                                         
        listen 80;                                                                                                                               
        listen [::]:80;                                                                                                                          

        root /var/www/lms/;                                                                                                                      

        server_name lms.blainelafreniere.io;                                                                                                     

        location / {                                                                                                                             
                try_files $uri /index.html;                                                                                                      
        }                                                                                                                                        
}                                                                                                                                                

server {

        server_name lms-api.blainelafreniere.io;

        location / {
                proxy_pass http://127.0.0.1:3001;
        }

        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/lms-api.blainelafreniere.io/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/lms-api.blainelafreniere.io/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}


server {
    if ($host = lms-api.blainelafreniere.io) {

        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen 80;
    listen [::]:80;

    server_name lms-api.blainelafreniere.io;
    return 404; # managed by Certbot
}

I don't know if this matters, but... the main root domain, blainelafreniere.io is pointing to an entirely different VPS. My blainelafreniere.io domain is secured with its own SSL certificate, and I'm currently attempting to generate a new SSL certificate only for the subdomain, in this case, lms-api.blainelafreniere.io.

blainelafreniere.io => server A lms.blainelafreniere.io, lms-api.blainelafreniere.io => server B

Does the certificate for the main domain need to be used to secure subdomains as well? Or can I generate a new certificate per subdomain?

Esa Jokinen · Accepted Answer · 2020-05-17T16:58:37.667

With the HTTP-01 challenge you can only get certificates for specified (possibly with multiple SAN) host names. According to Certificate Transparency logs for blainelafreniere.io you don't have a wildcard certificate for *.blainelafreniere.io, so you couldn't even use the same certificate for your subdomains. (Getting wildcard certificates is possible with DNS-01 challenge, but that's not necessary nor even optimal for this case.)

The logs also tells that Let's Encrypt has successfully issued certificates for both of your subdomains (lms.api and lms), and that's the correct way to do this.

For the automatic renewals you must keep http://example.com/.well-known/acme-challenge/ accessible & serving the location speficied in the Let´s Encrypt / Certbot configuration (e.g. under /etc/letsencrypt/renewal/).

Currently the server at 34.200.239.16 isn't answering to HTTPS request at all. This is not a problem with the certificates; either your Nginx is not listening on port 443 or there's some firewall blocking it:

$ dig lms.blainelafreniere.io +short
34.200.239.16

$ dig lms-api.blainelafreniere.io +short
34.200.239.16

nc 34.200.239.16 443 -nvvv
(UNKNOWN) [34.200.239.16] 443 (https) : Connection timed out
 sent 0, rcvd 0

Regarding the first paragraph, you *can* get one cert with multiple SAN entries too. Probably not what is desired in this particular case, though. — Håkan Lindqvist, May 17 '20 at 16:34
Read the sentence twice and found the mistake with my wording. Thanks! :) — Esa Jokinen, May 17 '20 at 16:59
omg thank you, I updated my firewall rules in AWS Lightsail and it's working — Blaine Lafreniere, May 17 '20 at 22:49

What's the proper way to use certbot for subdomains served via nginx?

1 Answers1