B
B
BloodVIRUS2019-08-02 11:01:31
Nginx
BloodVIRUS, 2019-08-02 11:01:31

How to connect ssl in nginx if the certificate file is present?

Hello. I have all 3rd level domains linked to the server. That is, if you go to dev1.site.ru or alex.site.ru, everything will lead to my server. The nginx config for this is simple:
server {
listen 80;
server_name ~^(www\.)?(?.+)$;
root /var/www/users/$domain;
}
This construction works great. But there was a need to check the folder with ssl certificates, and if there are certificates for the domain, connect them. For tests, I used a free letsencrypt certificate.
The idea is this, I make two such configs, one for port 80, the second for 443 ssl
, in the second I connect a certificate, and in the first I check if there is a certificate file. If there is - a redirect.
if (-f /var/ssl/$domain/privkey.pem) {
rewrite ^/(.*)$ https://$domain/$1 permanent;
}
Works out everything with a bang. But..
ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
Browser tells me:
This site cannot provide a secure connection The site dev1.site.ru sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
But if I connect the certificate in the direct path, everything works:
ssl_certificate /etc/letsencrypt/live/dev1.site.ru/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dev1.site.ru/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
Some kind of magic..

Answer the question

In order to leave comments, you need to log in

4 answer(s)
A
Alexander Chernykh, 2019-08-02
@sashkets

I do n’t understand why such troubles,
isn’t it better to make yourself a wildcard from LE and don’t worry?

T
TyzhSysAdmin, 2019-08-02
@POS_troi

LetsEncrypt knows how to use Wildcard
Well, look what kind of certificate the server gives you, so don't forget about the logs.
In the browser, well, or curl to help

* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=*.sysalex.com <-- раз
* 	start date: May 27 05:07:30 2019 GMT
* 	expire date: Aug 25 05:07:30 2019 GMT
* 	common name: *.sysalex.com <-- два
* 	issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US

V
Viktor Taran, 2019-08-02
@shambler81

server_name ~^(www\.)?(?.+)$; What kind of self-employment is this? why is this more?
Firstly, you violate the philosophy of nginx itself - the creator of nginx himself said more than once that !!!
I INTENTIONALLY did not introduce the normal use of variables in the configuration files, because where is it more correct to copy a piece of a file 10 times than to fill it with a variable, the admin will not break off to copy two lines.
And I can tell you that he is right.
2. When you generate a site, you do it anyway by some means, YOU DON'T WRITE ALL BY HANDS, WHEN THERE ARE MILLIONS OF WEB INTERFACES?
3. If you don’t have a problem with www, just make a link to the c www folder, and you don’t have to go out of your way.
4. Working with and without a certificate is fundamentally different, AT LEAST the fact that when you access via http, you first get the domain name and then work.
The HTTPS software first works with the keys, and only after that you can get at least a byte of information in this channel, including the site name. so do not invent a bicycle.
Generate configs for each site, and I would also recommend separately for http and https in this case, an error in one of them does not lead to a fall in the second interface.
well, the default config should be called 000-default... - where 000 indicates that it will be the first one when issuing (because as I described to you in paragraph 4, if the site does not have https, he can physically find out about this only after receiving the keys, as a result of the web the server will take the "nearest" and sort it exactly by letter;) 00 just the first;)
Well, it's a banal convenience, different sites require additional changes in the configs.
And therefore where in your model to write them?

K
Konstantin   , 2019-12-16
@SynCap

server {
  listen 80;
  server_name ~^(www\.)?(?<domain>.+)$;
  root /var/www/users/$domain;
}

in the third line, they forgot the name of the regexp region, so $domain in some versions of nginx will be empty, in some it will swear at the wrong config and the processing of the instruction block is interrupted.
therefore it turns out that there is no certificate, as it were

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question