I have 5 domains viz.
- main.com
- sub1.com
- sub2.com
- sub3.com
- sub4.com
I have pointed the CNAME records of
- sub1.com to sub1.main.com
- sub2.com to sub2.main.com
- sub3.com to sub3.main.com
- sub4.com to sub4.main.com
And these are working as it suppose to even following the paths.
Yesterday I have installed Letsencrypt Wildcard SSL certificate for *.main.com and it also works pretty smoothly.
The question is: sub1.com, sub2.com,sub3.com and sub4.com also need SSL certificates and I thought as sub1.main.com sub2.main.com sub3.main.com and sub4.main.com have a valid SSL certificate and CNAME is mapped as shown above and hence the SSL certificates would work for sub1.com, sub2.com,sub3.com and sub4.com as well but unfortunately isn't.
Where am I going wrong in my assumption ? What can be the proposed solution to my query of having SSL certificates for sub1.com, sub2.com,sub3.com and sub4.com which has a CNAME pointed to main.com ?
Note: I can change CNAME or the A record of sub1.com, sub2.com,sub3.com and sub4.com if required.
Best Answer
You NEED to have certificate for the hostname shown in the address bar. This is a feature of the HTTP(S) protocol. Therefore, it doesn't matter whether you use
CNAME
orA
in DNS. The web server is only aware of theHost:
header and the hostname sent during the SNI negotiation. Your web server needs to be aware of that hostname in both virtualhost and SSL configuration.