I've got a wildcard SSL certificate for *.example.com.
I'm using Nginx, and redirecting all traffic for HTTP to HTTPS, and also rewriting the URLs to remove a www subdomain (if there is one).
So it has,
http://subdomain.example.com—>https://subdomain.example.comhttp://www.subdomain.example.com—>https://subdomain.example.comhttps://www.subdomain.example.com—>https://subdomain.example.comhttps://subdomain.example.com—>https://subdomain.example.com
However, since my cert is for *.example.com, case 3 gets an SSL error in chrome ("This is probably not the site that you are looking for!"), but if you click through it gets redirected and all is well.
I understand why, since the initial connection is for HTTPS with a www (2 levels of subdomains), which doesn't match what is on the wildcard certificate.
I thought a solution would be to get an additional cert for *.*.example.com to cover www.*.example.com. But it seems like that won't work.
I spoke to agents from Namecheap and Comodo, and both said *.*.example.com was not possible.
I also came across this article that states:
Will SSL work with multilevel wildcards?
With the distribution of Firefox 3.5, all major browsers allow only a single level of subdomain matching with certificate names that contain wildcards, in conformance with RFC 2818.
In other words the certificate
*.mydomain.comwill work forone.mydomain.comortwo.mydomain.combut NOTone.two.mydomain.com.
Is there a solution to this? To be able to cover www.*.example.com?
Best Answer
Wildcard certs only go one level deep. You will need to get a wildcard that also has subject-alternate names for all
www.<subdomain>.example.comsites. This will allow the redirection to happen.Any solution other than putting valid certs on the two-level-deep subdomains will not work, because the SSL handshake will always happen before any redirection or re-writing.