F8690932edd58a6cd6ed7cb1924f4b45d255e360
By:
blbwd

Letsencrypt for multiple domains on Nginx

September 10, 2016 2.5k views
Let's Encrypt Ubuntu

I have a Nginx server setup with virtual host. There are many domains are hosted and all the running WordPress websites. Is there any tutorial available to implement Letsencrypt on Nginx virtual host? I want to keep all my website running perfectly. Please share.

3 Answers

Hi!

Let's Encrypt is very simple to set up with Nginx. This tutorial will walk you through all the necessary steps to do that.

It is, however, written for setups where there is only one server block present. So, if you replace /etc/nginx/sites-available/default with the correct path for each server block, you should be fine.

At the end of Step 2, a Diffie-Hellman group is generated. Because it is shared between all server blocks, you only need to perform that step once.

In this tutorial, we will show you how to use Let's Encrypt to obtain a free SSL certificate and use it with Nginx on Ubuntu 16.04. We will also show you how to automatically renew your SSL certificate. If you're running a different web server, simply follow your web server's documentation to learn how to use the certificate with your setup.
  • This is a great tutorial, however, his question isn't how to do encrypt with one domain, but more than one. It's not sufficient to have multiple blocks in /etc/nginx/sites-available/ because one site is valid, but another won't be (even if it was before). The problem is NET::ERR_CERT_AUTHORITY_INVALID occurs in one of the domains.

Hi, i had trouble with this situation. i hav followed @kamaln7 suggestion but one of my domain cant be accessed because the certificate belong to my other domain.
How is the server blocks for each domain? is there any different in listen 443 ssl http2 ?
i use this in both :

listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;

The SSL certificate needs to contain several names, in the SubjectAltName certificate field, for example, you might want to have example.com and example.org domains. Note the SubjectAltName field length is limited, to about 1000 characters IIRC.

If you're using Let's Encrypt (as is the case in the nginx tutorial @kamaln7 referred to), then you can generate a SSL certificate for the domains.

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/default/html/ -d example.org -d example.com

Update the /etc/nginx/sites-available/example.com and /etc/nginx/sites-available/example.org accordingly. A /etc/nginx/sites-available/default is not need. See the diff:

server {                                                        server {
  listen 80;                                                      listen 80;
  listen [::]:80;                                                 listen [::]:80;
  server_name example.com;                                    |   server_name example.org;
  return 301 https://$server_name$request_uri;                    return 301 https://$server_name$request_uri;
}                                                               }
server {                                                        server {
  server_name example.com;                                    |   server_name example.org;
  listen 443 ssl http2;                                           listen 443 ssl http2;
  listen [::]:443 ssl http2;                                      listen [::]:443 ssl http2;

  ssl_certificate /etc/letsencrypt/live/default/fullchain.pem     ssl_certificate /etc/letsencrypt/live/default/fullchain.pem
  ssl_certificate_key /etc/letsencrypt/live/default/privkey.p     ssl_certificate_key /etc/letsencrypt/live/default/privkey.p
  include snippets/ssl-params.conf;                               include snippets/ssl-params.conf;

  root /var/www/example.com/html;                             |   root /var/www/example.org/html;
  index index.php                                                 index index.php 
  location / {                                                    location / {
    try_files $uri $uri/ /index.html =404;                          try_files $uri $uri/ /index.html =404;
    autoindex on;                                                   autoindex on;
  }                                                               }
  location ~ /.well-known {                                       location ~ /.well-known {
    allow all;                                                      allow all;
  }                                                               }
  location ~ \.php$ {                                             location ~ \.php$ {
    include snippets/fastcgi-php.conf;                              include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php5-fpm.sock;                       fastcgi_pass unix:/var/run/php5-fpm.sock;
  }                                                               }
}                                                               }

Note the folder that contains the SSL certificates /etc/letsencrypt/live/default/. You may need rename the folders that letsencrypt generated.

Have another answer? Share your knowledge.