Get the most out of your Centmin Mod LEMP stack
Become a Member

Letsencrypt Let's encrypt will work on subdomain using a Cname record?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by pamamolf, Jul 3, 2019.

  1. pamamolf

    pamamolf Premium Member Premium Member

    3,474
    334
    83
    May 31, 2014
    Ratings:
    +641
    Local Time:
    11:55 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Hello

    I am testing cdn on my domain and it works when i use the Cloudflare also with no issues having a Cname record of:
    Code:
    cdn.mydomain.com
    When i disable Cloudflare it doesn't work and i should get a certificate for:
    Code:
    cdn.mydomain.com
    Is the correct way to create a new Nginx subdomain and get a certificate for it?
    Having only a Cname will work?

    Or should i do something else?

    Thank you !
     
  2. eva2000

    eva2000 Administrator Staff Member

    41,646
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    That's a tricky one as cdn.mydomain.com needs to be
    1. pointing to same site as your mydomain.com so same IP (that you configure in cdn settings as your origin IP)
    2. if using cloudflare strict ssl and not flexible ssl, needs for origin to have SSL certificate and HTTPS as well unless using flexible ssl which can be non-HTTPS nginx origin
    are you using flexible ssl or full ssl for cloudflare ?

    you can use a cloudflare page fule for cdn.mydoman.com requests so that it uses flexible ssl and just have a non-https cdn.mydomain.com nginx vhost via centmin.sh menu option 2 which uses your mydomain.com's web root in nginx vhost config so access to non-http cdn.mydomain.com will point to same web root as mydomain.com
     
  3. pamamolf

    pamamolf Premium Member Premium Member

    3,474
    334
    83
    May 31, 2014
    Ratings:
    +641
    Local Time:
    11:55 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    I am using Full ssl and not strict ....
     
  4. eva2000

    eva2000 Administrator Staff Member

    41,646
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you can just use cdn.mydomain.com via centmin.sh menu option 2 with letsencrypt ssl issuance and change the web root to point to mydomain.com's version i.e. method 2 below.

    You currently can't automate parking one HTTPS SSL cert enabled domain (yourparkeddomain.com) on top of another HTTPS SSL cert enabled domain (domain.com) as you need for each domain to have it's own SSL certificate reference and Centmin Mod 123.09beta01 can only do one domain Letsencrypt SSL certificate issuance per centmin.sh menu option 2, 22 or nv command runs. See below instructions for Parked HTTPS SSL Domains.

    Parked HTTPS SSL Domains



    Parked domains meaning different domains and/or subdomains all point to same IP address and site content when accessed in a web browser. These methods outlined below are NOT for multiple domains pointing to different site/content.

    As there's no way to automate such you have 2 manual methods available

    Manual Method 1 - Do manual Nginx vhost creation via the underlying acme.sh client. If you have not yet created any of the intended domains/nginx vhosts, you can use addons/acmetool.sh directly via SANS Multi-Domain SSL Certificates method. Otherwise, if some or all intended domains/nginx vhosts have already been created then use manual method as discussed in steps in this post here and here.

    Manual Method 2 - create a domain Nginx HTTPS vhost site for each domain.

    It would be a manual process which involves creating the parked domain's own Nginx HTTPS SSL cert enabled vhost via centmin.sh menu option 2 or nv command and setting it up with valid working DNS A records for domain's www and non-www versions if main domain or DNS A for subdomain and ensure it's working and select letsencrypt option with live default HTTPS SSL cert and then editing it's nginx config file at /usr/local/nginx/conf/conf.d/yourparkeddomain.com.ssl.conf and then just changing root path to your origin domain's root

    in /usr/local/nginx/conf/conf.d/yourparkeddomain.com.ssl.conf change it's default public web root path from
    Code (Text):
    root /home/nginx/domains/yourparkeddomain.com/public

    to
    Code (Text):
    root /home/nginx/domains/domain.com/public

    which now matches the public web root for domain.com nginx vhost listed in domain.com nginx vhost config file at /usr/local/nginx/conf/conf.d/domain.com.ssl.conf

    now both yourparkeddomain.com and domain.com public web root paths point to /home/nginx/domains/domain.com/public so access via the domains will serve files located in /home/nginx/domains/domain.com/public. It does mean that any configurations you manually setup in /usr/local/nginx/conf/conf.d/domain.com.ssl.conf need to be replicated in /usr/local/nginx/conf/conf.d/yourparkeddomain.com.ssl.conf.

    you can use common include file templates you set to make it easier i.e. if in both /usr/local/nginx/conf/conf.d/yourparkeddomain.com.ssl.conf and /usr/local/nginx/conf/conf.d/domain.com.ssl.conf you have a custom location content like
    Code (Text):
    location /test {
      include /usr/local/nginx/conf/php.conf;
      try_files $uri $uri/ /index.php
    }

    you could place that location /test context into a custom template file you create at /home/nginx/domains/domain.com/common_includes.conf and reference it in both /usr/local/nginx/conf/conf.d/yourparkeddomain.com.ssl.conf and /usr/local/nginx/conf/conf.d/domain.com.ssl.conf as
    Code (Text):
    include /home/nginx/domains/domain.com/common_includes.conf;

    Final note in origin domain's nginx vhost at /usr/local/nginx/conf/conf.d/domain.com.ssl.conf also add canonical header to ensure search engines visiting domain.com know content is originally at domain.com to prevent search engines from flagging yourparkeddomain.com content as duplicated content.
    Code (Text):
    add_header Link "<http://domain.com$request_uri>; rel=\"canonical\"";
    

    i.e. placing the header just below existing add_header entries in default nginx vhost config for HTTPS SSL domains
    Code (Text):
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      add_header Link "<http://domain.com$request_uri>; rel=\"canonical\"";
    

    then restart nginx and php-fpm services
    Code (Text):
    nprestart

    To confirm just run curl command in SSH against your domain i.e. curl headers and grep filter for word canonical
    Code (Text):
    curl -sI https://domain.com | grep canonical
    

    output would be something like
    Code (Text):
    curl -sI https://domain.com | grep canonical
    Link: <http://domain.com/>; rel="canonical"
    
     
    • Informative Informative x 1
  5. pamamolf

    pamamolf Premium Member Premium Member

    3,474
    334
    83
    May 31, 2014
    Ratings:
    +641
    Local Time:
    11:55 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok i did a test and didn't work as Let's encrypt was not able to verify the subdomain as i don't have any A record for it and i think that's normal but i can't add one as i have the Cname cdn.mydomain.com and Cloudflare is not accepting an A record name like cdn if that exists at Cname....

    If i remove the cname and add the A record i think it will work but then the cdn will not work :(

    Or should i remove the Cname record and add an A record and get the certificate and then revert back Cname record? That will not renew then.... ?

    What did i miss?
     
    Last edited: Jul 3, 2019
  6. eva2000

    eva2000 Administrator Staff Member

    41,646
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Try enabling CNAME Flattening in Cloudflare DNS tab

    i.e.

    upload_2019-7-3_10-18-8.png
     
  7. pamamolf

    pamamolf Premium Member Premium Member

    3,474
    334
    83
    May 31, 2014
    Ratings:
    +641
    Local Time:
    11:55 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    It is already at that option but gray and i can't change it....

    [​IMG]

    I don't think that it will work without an A record :(
     
  8. eva2000

    eva2000 Administrator Staff Member

    41,646
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Need to have paid CF pro, business or enterprise plan for non root flattening Understand and configure CNAME Flattening

    so should work for you if CNAME IP is same as your domain root main IP.

    other option is in your main domain nginx vhost add to server_name, the cdn.domain.com as a alias/park and add page rule for changing to CF Full (non-strict) and see it would try to contact cdn.domain.com and centmin mod nginx will catch it in that main domain nginx vhost and still pass through as CF Full (non-strict) doesn't validate the SSL certification/HTTPS on origin main domain HTTPS backend which would give invalid SSL cert error as cdn.domain.com isn't in main domain's SSL certificate common name list/san list.
     
    • Informative Informative x 1
  9. pamamolf

    pamamolf Premium Member Premium Member

    3,474
    334
    83
    May 31, 2014
    Ratings:
    +641
    Local Time:
    11:55 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    It is not the same ip as it has the ip of the cdn provider and not my server ip...
     
  10. eva2000

    eva2000 Administrator Staff Member

    41,646
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    that's probably why letsencrypt is failing then - you'd need to turn of cloudflare proxying (use grey cloud and not orange cloud) so cloudflare is used only for DNS
     
    • Informative Informative x 1
  11. pamamolf

    pamamolf Premium Member Premium Member

    3,474
    334
    83
    May 31, 2014
    Ratings:
    +641
    Local Time:
    11:55 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Then i will lost performance :)

    Ok anyway....
     
  12. eva2000

    eva2000 Administrator Staff Member

    41,646
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    CDN already accelerates your static files ? or am I missing something else ? your don't need a 3rd party CDN if you use Cloudflare - so it's either use CDN or Cloudflare not both unless your CDN supports Cloudflare specifically.
     
  13. pamamolf

    pamamolf Premium Member Premium Member

    3,474
    334
    83
    May 31, 2014
    Ratings:
    +641
    Local Time:
    11:55 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    I am using Wasabi for cloud storage and from there the files goes to Cloudflare and from there to my users.
    If i am not wrong :)

    the bucket name is:
    Code:
    cdn.mydomain.com
    I use this DNS entry at Cloudflare (Orange cloud):
    Code:
    Cname: cdn -> cdn.mydomain.com.s3.us-west-1.wasabisys.com
    All working great ! Images are coming to users from:
    Code:
    https: //cdn.mydomain.com/blablabla
    Now when i disable Cloudflare by Pausing it my forum doesn't work and images are no loading and i can see an ssl self signed or not valid... Something like that....

    So i thought that i must found a way to have a valid certificate on that....

    Thank you George :)
     
  14. eva2000

    eva2000 Administrator Staff Member

    41,646
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    then method 1's manual steps might be the way to add cdn.mydomain.com to your mydomain.com letsencrypt ssl cert
     
  15. pamamolf

    pamamolf Premium Member Premium Member

    3,474
    334
    83
    May 31, 2014
    Ratings:
    +641
    Local Time:
    11:55 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    It will not detect that cdn.mydomain.com doesn't have an A record (not possible to add as i use the same entry as a Cname) and that the ip behind is not from my server and fail ?
     
  16. eva2000

    eva2000 Administrator Staff Member

    41,646
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    • Informative Informative x 1
  17. pamamolf

    pamamolf Premium Member Premium Member

    3,474
    334
    83
    May 31, 2014
    Ratings:
    +641
    Local Time:
    11:55 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok that almost worked :)
    Code:
    ./acmetool.sh certonly-issue cdn.mydomain.com live
    Code:
    Your cert is in  /root/.acme.sh/cdn.mydomain.com/cdn.mydomain.com.cer
    Your cert key is in  /root/.acme.sh/cdn.mydomain.com/cdn.mydomain.com.key
    The intermediate CA cert is in  /root/.acme.sh/cdn.mydomain.com/ca.cer
    And the full chain certs is there:  /root/.acme.sh/cdn.mydomain.com/fullchain.cer
    
    and then i run:

    Code:
    /root/.acme.sh/acme.sh --installcert -d cdn.mydomain.com --certpath /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.key --capath /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-fullchain-acme.key
    output:
    Code:
    Installing cert to:/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.cer
    Installing CA to:/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.cer
    Installing key to:/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.key
    Installing full chain to:/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-fullchain-acme.key
    Run reload cmd: /usr/bin/ngxreload
    Reloading nginx configuration (via systemctl):             [  OK  ]
    Reload success
    
    
    It seems ok !

    Then i check the vhost file and i see that it uses that:
    Code:
    include /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com.crt.key.conf;
    So i edit that file and now i have there:

    Code:
      ssl_dhparam /usr/local/nginx/conf/ssl/cdn.mydomain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.key;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.cer;
    But nginx doesn't start after that :(
     
    Last edited: Jul 5, 2019
  18. pamamolf

    pamamolf Premium Member Premium Member

    3,474
    334
    83
    May 31, 2014
    Ratings:
    +641
    Local Time:
    11:55 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Code:
    systemctl status nginx.service
    Code:
    [emerg] SSL_CTX_use_PrivateKey("/usr/local/nginx/conf/ssl/cdn.mydomain.com/cdn.mydomain.com-acme.key") failed (SSL: erro...alues mismatch)
     
  19. pamamolf

    pamamolf Premium Member Premium Member

    3,474
    334
    83
    May 31, 2014
    Ratings:
    +641
    Local Time:
    11:55 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Something doesn't much but i don't know why or what i may did wrong :(
     
  20. eva2000

    eva2000 Administrator Staff Member

    41,646
    9,380
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,408
    Local Time:
    6:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    what's output for
    Code (Text):
    grep -in 'ssl_' /usr/local/nginx/conf/conf.d/cdn.mydomain.com.ssl.conf 
    

    and
    Code (Text):
    ls -lahrt /usr/local/nginx/conf/ssl/cdn.mydomain.com/