nginx wildcard ssl configuration

Question

I have this nginx configuration for my site and using a wildcard certificate for my domain

server {
    server_name *.domain;
    root /var/www;

    index index.php;

    listen *:80;
    listen *:443 ssl http2;
    listen [::]:443 ssl http2;

    # indicate locations of SSL key files.
    ssl_certificate /etc/nginx/ssl/domain.chained.crt;
    ssl_certificate_key /etc/nginx/ssl/domain.key;
    ssl_trusted_certificate /etc/nginx/ssl/domain.crt;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_stapling on;

    # Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    # Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score as of Sept 2015.
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    # WordPress single site rules.
    # Designed to be included in any server {} block.

    # This order might seem weird - this is attempted to match last if rules below fail.
    # http://wiki.nginx.org/HttpCoreModule
    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    # Add trailing slash to */wp-admin requests.
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;

    # Directives to send expires headers and turn off 404 error logging.
    location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
           access_log off; log_not_found off; expires max;
    }

    # Uncomment one of the lines below for the appropriate caching plugin (if used).
    #include global/wordpress-wp-super-cache.conf;
    #include global/wordpress-w3-total-cache.conf;

    # Pass all .php files onto a php-fpm/php-fcgi server.
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
        # This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)

        include fastcgi_params;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    #   fastcgi_intercept_errors on;
        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        fastcgi_buffer_size 16k;
        fastcgi_buffers 4 16k;
    }


    error_log /var/log/nginx/error.log;
    access_log /var/log/nginx/access.log;
}

But im getting the error

NET::ERR_CERT_COMMON_NAME_INVALID

with message

This server could not prove that it is staging.wp.domain; its security certificate is from *.domain. This may be caused by a misconfiguration or an attacker intercepting your connection.

What im missing.

Thanks

Answer 1

This server could not prove that it is staging.wp.domain; its security certificate is from *.domain

Since you're using "example" names in your post, it's a bit difficult to say, but I suspect you are trying to do multiple sub domains with a wild card, which doesn't work.

Let's say you have a certificate that is valid for these names:

• example.com
• *.example.com

This is likely the kind of wild card certificate you have. You can tell by looking at the Subject Alternative Name in the certificate.

The "*" in a certificate does not mean "many levels deep", it means "one level deep".

These domains are valid for our certificate:

• foo.example.com
• bar.example.com
• example.dom

These are not valid for this the certificate:

• foo.bar.example.com
• bar.foo.example.com

Your only option here is to get a certificate for *.wp.domain, or just staging.wp.domain if you don't need a wild card. A CA won't issue a certificate that is valid for *.*.example.com, and even browsers will ignore these kinds of wildcard rules.