SSL Error for wildcard subdomain certificate

sslssl-certificate

I have two SSL certificate one for *.sub.domain.com and one for *.domain.com.

I don't have issues with domain level wildcard certificate. Meaning https://www.domain.com & https://domain.com works fine with out any certificate errors.

But for the other one https://sub.domain.com gives certificate error(address miss match ) and https://www.sub.domain.com doesn't give any error.

Just another info both certificate are from the same provider.

Best Answer

Wildcard certificate issued for *.domain.com doesn't secure bare domain.com by default.

Run openssl x509 -in certificate.crt -noout -text on both certs to see their human-readable content. Look for X509v3 Subject Alternative Name (SAN) field. If it is present, it specifies multiple DNS names, which can be secured by the cert.

I suppose your *.domain.com cert has it, whereas *.sub.domain.com doesn't, in that case ask for a new wildcard SAN cert.

Related Solutions

Ubuntu – How to use VirtualDocumentRoot to serve the www subdomain with SSL enabled

To have the same site listening on both HTTP and HTTPS you will need 2 virtual hosts, one for SSL and one for normal connections.

Remove :443 from your "ServerName" parameter.

I just created a config doing what you request here, in my test environment, and this is what I have in my working configuration file:

<IfModule mod_ssl.c>   
  <VirtualHost _default_:443>
    ServerAdmin www@srv.fbh

    ServerName *.srv.fbh
    VirtualDocumentRoot /www/%0/ 

    SSLEngine on
    SSLCertificateFile    /etc/ssl/test/server.crt
    SSLCertificateKeyFile /etc/ssl/test/server.key   
  </VirtualHost>
</IfModule>

Also, you have a ServerAlias for www.domain.com - this is not necessary, as the wildcard *.domain.com will catch this.

Ssl domain problem for signed asterisk certificates

*.domain.com should only match for domains .domain.com, but not domain.com or a.b.domain.com.

Citing this great presentation:

RFC 2595 (Using TLS with IMAP, POP3 and ACAP): A “*” wildcard character MAY be used as the left-most name component in the certificate. For example, *.example.com would match a.example.com, foo.example.com, etc. but would not match example.com.

RFC 2818 (HTTP Over TLS): Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.

RFC 4513 (LDAP Authentication Methods): The ‘*’ (ASCII 42) wildcard character is allowed in subjectAltName values of type dNSName, and then only as the left-most (least significant) DNS label in that value. This wildcard matches any left-most DNS label in the server name. That is, the subject *.example.com matches the server names a.example.com and b.example.com, but does not match example.com or a.b.example.com.

Best Answer

Related Solutions

Ubuntu – How to use VirtualDocumentRoot to serve the www subdomain with SSL enabled

Ssl domain problem for signed asterisk certificates

Related Topic