Monthly Archives: March 2017

Nginx hosting multiple domains with a single SSL certificate from Let's Encrypt


Multiple domains can be hosted with nginx server blocks. Below I give an example of how to generate a shared SSL certificate from Let's Encrypt, and how to setup two server blocks to use a shared SSL certificate.

Assuming you use Let's Encrypt as your CA authority, generate a SSL certificate for the domains:

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/default/html/ -d -d

Alternatively, if your not using Let's Encrypt as your CA, read up the docs take a pause to note:

The SSL certificate needs to contain several names, in the SubjectAltName certificate field, for example, you might want to have and domains. Note the SubjectAltName field length is limited, to about 1000 characters IIRC.

Now I assume you have the SSL certificate generated.

Update the two server blocks /etc/nginx/sites-available/ and /etc/nginx/sites-available/ accordingly. A /etc/nginx/sites-available/default is not need. See the diff:

server {                                                        server {
  listen 80;                                                      listen 80;
  listen [::]:80;                                                 listen [::]:80;
  server_name;                                    |   server_name;
  return 301 https://$server_name$request_uri;                    return 301 https://$server_name$request_uri;
}                                                               }
server {                                                        server {
  server_name;                                    |   server_name;
  listen 443 ssl http2;                                           listen 443 ssl http2;
  listen [::]:443 ssl http2;                                      listen [::]:443 ssl http2;

  ssl_certificate /etc/letsencrypt/live/default/fullchain.pem     ssl_certificate /etc/letsencrypt/live/default/fullchain.pem
  ssl_certificate_key /etc/letsencrypt/live/default/privkey.p     ssl_certificate_key /etc/letsencrypt/live/default/privkey.p
  include snippets/ssl-params.conf;                               include snippets/ssl-params.conf;

  root /var/www/;                             |   root /var/www/;
  index index.php                                                 index index.php 
  location / {                                                    location / {
    try_files $uri $uri/ /index.html =404;                          try_files $uri $uri/ /index.html =404;
    autoindex on;                                                   autoindex on;
  }                                                               }
  location ~ /.well-known {                                       location ~ /.well-known {
    allow all;                                                      allow all;
  }                                                               }
  location ~ \.php$ {                                             location ~ \.php$ {
    include snippets/fastcgi-php.conf;                              include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php5-fpm.sock;                       fastcgi_pass unix:/var/run/php5-fpm.sock;
  }                                                               }
}                                                               }

Note the folder that contains the SSL certificates /etc/letsencrypt/live/default/. You may need rename the folders that letsencrypt generated.

Additional references: