Confusing on root domain with wildcard cert


#1

https://serverfault.com/questions/310530/should-a-wildcard-ssl-certificate-secure-both-the-root-domain-as-well-as-the-sub

i have got a cert for *.example.com
and i found that example.com (root domain) saying the identify can’t be verified
my command:
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "*.yii2.cc" --preferred-challenges=dns --manual certonly

Thanks very much.


#2

Hi @hldh214,

A wildcard certificate for *.example.com is not valid for example.com. You need to add that name as well by specifying two -d flags to Certbot like:

./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "yii2.cc" -d "*.yii2.cc" --preferred-challenges=dns --manual certonly

That will give you a certificate with two names: yii2.cc and *.yii2.cc that will be valid for both the base domain and any first level subdomain.

Hope that helps!


#3

But that requires verifying DNS txt record for twice. It will be better if ‘rootdomain.com’ and ‘*.rootdomain.com’ valitations are combined.


#4

Implementing validation that way is more difficult with our current codebase. Adding two TXT values to the DNS is certainly permitted and separating the authorizations for the base domain and the wildcard also allows for more flexibility in using a non-DNS-01 challenge for the base domain.

Thanks for the feedback but this is unlikely to change in the near term. I recommend you adjust your side accordingly and set both TXT values.

Thanks!


#5

Adding two records is acceptable. Thanks.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.