How to add certificate for sub-domain using Lets Encrypt

7
votes

I have an NGINX server where I am trying to add SSL using Let's Encrypt .

My development settings are as follows:

url : dev.domain.in
root: /var/www/dev/html

The Production is as follows:

url : domain.in
root: /var/www/production/html

So in my nginx default page I have two server blocks one for development and another for production

I want to give one certificate for both the servers.

I know according to the Let's Encrypt website the command is as follows

cd /opt/letsencrypt ./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d example.com -d www.example.com

But this can be done only if the SUBDOMAIN has the same webroot which not true in my case.

So how I can add the CERT for both here

Please help me out

2
sslencryptionnginxubuntu-14.04lets-encrypt
Time to give a feedback?Jonatas Walker

2 Answers

11
votes

I use a common webroot across all of my virtual hosts on my nginx box.

/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \
-d example.com,www.example.com

... and in nginx I have snippets/letsencrypt.conf:

location ~ /.well-known {
    root /srv/www/letsencrypt;
    allow all;
}

... which gets included in my server block for each site.

The files in the .well-known directory are temporary - they only exist for long enough for the authorisation process to complete and are then removed.

Once registration is successful, I then include the certificate definition in the server block via include ssl/example.com.conf; where that file contains the following:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

... along with the relevant listen directives to enable SSL on port 443.

You can include the same definition in multiple server blocks.

I have additional subdomains as SANs in my certificate as well and I have separate server blocks for example.com, www.example.com and also other subdomains like click.example.com - all using the same certificate.

1
votes

Let´s Encrypt webroot method uses a file on your webroot directory named ".well-known/acme-challenge". You can configure a location snippet on your dev and main server to point to another webroot just for this file.

Something like:

   location /.well-known/acme-challenge {
        alias /etc/letsencrypt/webrootauth/.well-known/acme-challenge;
        location ~ /.well-known/acme-challenge/(.*) {
            add_header Content-Type application/jose+json;
        }
    }

And point your webroot as --webroot-path /etc/letsencrypt/webrootauth

This discussion can help

Or you can use standalone method and do some work by hand.