Do wildcard SSLs only work with one IP?

I generated 2 wildcard SSLs using this command: certbot certonly --manual -d *.example1.com --agree-tos --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

I deployed both on a web server using 2 different Nginx configuration files. The issue is SSL check tools online don't recognize the other wildcard SSL.

E.g.:
Scenario 1:
I installed the SSL on example1.com first.
example1.com - wildcard works
example2.com- wildcard doesn't work.

Scenario 2:
I installed the SSL on example2.com first.
example2.com - wildcard works
example1.com- wildcard doesn't work.

It only works with one domain either way, so I started thinking, do wildcard SSLs only work on 1 IP address?

nginx/1.14.2
cerbot 0.27.0

1 Like

Hi @j.centeno, and welcome to the LE community forum :slight_smile:

Imagine having a pass that allows *.your.last.name (anyone in your family access).
They can all live in your home or in other homes, either way they are all allowed to pass.
A wildcard cert, like any cert, doesn't contain an IP.
The name resolves to the IP(s). (Like: Your name resolves to your address)
Other names could also resolve to that same IP and could be included in the same cert.
Or they could resolve to other IPs and could still be covered by the same wildcard cert.
[although you would have to share the cert between the two locations]

In your described scenario, it is difficult to tell if the names are at the same IP and if the names are actually from the same domain.

NOTE:
*.example.com
will not cover:
example1.com
        nor
example2.com

3 Likes

I haven't done much with nginx recently but as far as I know for most webservers to share an IP address with certificates you need to use SNI (Server Name Indication) which means your ssl bindings in your nginx configuration need to specify the hostname(s) your website will respond to (and which certificate will be associated with each) Configuring HTTPS servers

3 Likes

I am using different IP addresses with a single apex domain and it works just fine. It is not IP oriented but DNS... Works well in my case.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.