Learn about Centmin Mod LEMP Stack today
Become a Member

SSL Domains Letsencrypt Parking HTTPS domains with Letsencrypt SSL certificates ?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by VovaZ, Jul 3, 2019.

  1. VovaZ

    VovaZ New Member

    27
    1
    3
    Jun 6, 2019
    Russia
    Ratings:
    +3
    Local Time:
    3:53 AM
    1.17.x
    MariaDB 10.4.x
    Another question, maybe not here...
    How to add a domain with aliases that would let's encrypt understand that the main mirror has aliases and issued a certificate?
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,182
    10,276
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,925
    Local Time:
    10:53 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    You currently can't automate parking one HTTPS SSL cert enabled domain (yourparkeddomain.com) on top of another HTTPS SSL cert enabled domain (domain.com) as you need for each domain to have it's own SSL certificate reference and Centmin Mod 123.09beta01 can only do one domain Letsencrypt SSL certificate issuance per centmin.sh menu option 2, 22 or nv command runs. See below instructions for Parked HTTPS SSL Domains.

    Parked HTTPS SSL Domains



    Parked domains meaning different domains and/or subdomains all point to same IP address and site content when accessed in a web browser. These methods outlined below are NOT for multiple domains pointing to different site/content.

    As there's no way to automate such you have 2 manual methods available

    Manual Method 1 - Do manual Nginx vhost creation via the underlying acme.sh client. If you have not yet created any of the intended domains/nginx vhosts, you can use addons/acmetool.sh directly via SANS Multi-Domain SSL Certificates method. Otherwise, if some or all intended domains/nginx vhosts have already been created then use manual method as discussed in steps in this post here and here.

    Manual Method 2 - create a domain Nginx HTTPS vhost site for each domain.

    It would be a manual process which involves creating the parked domain's own Nginx HTTPS SSL cert enabled vhost via centmin.sh menu option 2 or nv command and setting it up with valid working DNS A records for domain's www and non-www versions if main domain or DNS A for subdomain and ensure it's working and select letsencrypt option with live default HTTPS SSL cert and then editing it's nginx config file at /usr/local/nginx/conf/conf.d/yourparkeddomain.com.ssl.conf and then just changing root path to your origin domain's root

    in /usr/local/nginx/conf/conf.d/yourparkeddomain.com.ssl.conf change it's default public web root path from
    Code (Text):
    root /home/nginx/domains/yourparkeddomain.com/public

    to
    Code (Text):
    root /home/nginx/domains/domain.com/public

    which now matches the public web root for domain.com nginx vhost listed in domain.com nginx vhost config file at /usr/local/nginx/conf/conf.d/domain.com.ssl.conf

    now both yourparkeddomain.com and domain.com public web root paths point to /home/nginx/domains/domain.com/public so access via the domains will serve files located in /home/nginx/domains/domain.com/public. It does mean that any configurations you manually setup in /usr/local/nginx/conf/conf.d/domain.com.ssl.conf need to be replicated in /usr/local/nginx/conf/conf.d/yourparkeddomain.com.ssl.conf.

    you can use common include file templates you set to make it easier i.e. if in both /usr/local/nginx/conf/conf.d/yourparkeddomain.com.ssl.conf and /usr/local/nginx/conf/conf.d/domain.com.ssl.conf you have a custom location content like
    Code (Text):
    location /test {
      include /usr/local/nginx/conf/php.conf;
      try_files $uri $uri/ /index.php
    }

    you could place that location /test context into a custom template file you create at /home/nginx/domains/domain.com/common_includes.conf and reference it in both /usr/local/nginx/conf/conf.d/yourparkeddomain.com.ssl.conf and /usr/local/nginx/conf/conf.d/domain.com.ssl.conf as
    Code (Text):
    include /home/nginx/domains/domain.com/common_includes.conf;

    Final note in origin domain's nginx vhost at /usr/local/nginx/conf/conf.d/domain.com.ssl.conf also add canonical header to ensure search engines visiting domain.com know content is originally at domain.com to prevent search engines from flagging yourparkeddomain.com content as duplicated content.
    Code (Text):
    add_header Link "<http://domain.com$request_uri>; rel=\"canonical\"";
    

    i.e. placing the header just below existing add_header entries in default nginx vhost config for HTTPS SSL domains
    Code (Text):
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      add_header Link "<http://domain.com$request_uri>; rel=\"canonical\"";
    

    then restart nginx and php-fpm services
    Code (Text):
    nprestart

    To confirm just run curl command in SSH against your domain i.e. curl headers and grep filter for word canonical
    Code (Text):
    curl -sI https://domain.com | grep canonical
    

    output would be something like
    Code (Text):
    curl -sI https://domain.com | grep canonical
    Link: <http://domain.com/>; rel="canonical"