Create wild card certs for several subdomains pointing to different servers


#1

I know that currently (feb 2018) wild card certs are not yet available, but my question anticipates the availability in the near future.
I have serveral servers that split functionality of the same app.

  1. server1 serves: sub1.domain.com and all related sub domains: ss1.sub1.domain.com ss2.sub1.domain.com, ss3. sub1.domain.com
  2. server 2 serves: sub2.domain.com and all related sub domains, tt1. sub2.domain.com, tt2.sub2.domain.com, …

My goal is to limit the amount of certs and my question is formulated under the assumption that letsencrypt provides wild card certs.
My question is 2 fold.
Do i need multiple certs sinds a have multiple servers?
If yes, so If I need 2 certs for 2 servers, can these certs act a a wild card cert on sub1.domain.com and another cert on sub2.domain.com. In other words can a wild card cert also be on a subdomain (and related sub domains) or is a wild card cert only applicable on domain.com and not on sub1.domain.com ?

Thanks for shedding a light on this.

Cheers
paul.


#2

*.example.com -> covers sub1.example.com and sub2.example.com but not example.com nor thirdlevel1.sub1.example.com

*.sub1.example.com -> covers thirdlevel1.sub1.example.com and thirdlevel2.sub1.example.com but not sub1.example.com or anything lower

Wildcards don’t usually cover all the domains you want so they are typically combined with a non-wildcard domain listing. Let’s Encrypt will allow you to list a mix of 100 wildcard and non-wildcard domains on a certificate.

Judging by your example you would want two certificates:

  • *.sub1.example.com and sub1.example.com
  • *.sub2.example.com and sub2.example.com

You do not necessarily need two certificates for the two servers, but it is usually easier and always more secure to use different certificates on different servers where possible.


#3

@Patches. This is a cristal clear. Many thanks.


#4

so wait … when I want multiple levels I need to do *.*.example.com or is that impossible?


#5

Unfortunately, that’s impossible. You can make a certificate with names like:

  • example.com
  • *.example.com
  • foo.example.com
  • *.foo.example.com
  • bar.example.com
  • *.bar.example.com

But multi-level wildcards are not possible.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.