Does wildcard certificate support wildcards with www?


#1

Hi, I was happy to hear letsencrypt had wildcard certificate support. Spent 2 days dealing with it and at the end appeared it’s not quite true. I’m searching solution for this problem but can not find any.
I hope I’m wrong and I have some mistake, otherwise this wildcard certificate is useless.

Wildcard certificate works for:
lantanios.com
www.lantanios.com
somewildcad.lantanios.com
but not for:
www.somewildcad.lantanios.com

here is the command that I used to create certificate:
./acme.sh --renew --dns dns_gcloud -d lantanios.com -d ‘*.lantanios.com’

Thanks in advance


#2

That’s correct; *.lantanios.com does not apply to www.somewildcard.lantanios.com. Wildcards apply to exactly 1 label, not 0 or 2.

It’s not up to Let’s Encrypt, and it’s not controlled by the certificate; it’s how clients work.


#3

Thanks for reply. It means I’m missing something.
How can I prevent people from visiting their pages with www?


#4

You can’t. :slightly_frowning_face:

Many sites don’t try to. https://www.community.letsencrypt.org/ doesn’t exist, for example!

Your only other option is to list all the www.abdef.lantanios.com subdomains individually in your certificates.


#5

Thanks anyway for fast support, I’ll try to issue a certificate for each newly created page. I think it will work and also will be more secure.


#6

If there are no links anywhere to https://www.abcdef.lanranios.com/, then when a user types in “www.abcdef.lantanios.com” in the address bar and presses enter, it should try http://www.abcdef.lanranios.com/.
[for which you don’t need a certificate]

You can simply add an http block to catch that specific URL and redirect it (properly) to:
http://abcdef.lanranios.com/
which then redirect to https://

[you can create a catch-all http block and redirect all http to https - but will need additional individual blocks to remove the www]
[or if you are real clever, you can create one redirection block than can remove the www from any URL]


#7

That’s a neat suggestion, @rg305—and it’s an interesting possible disadvantage to using includeSubdomains in HSTS (!).


#8

Interesting idea, but too late.

I have sometimes the problem:

Terrible, a new user, big bug

What happens: Every customer has a subdomain, the new user types www.subdomain..., no DNS entry is defined -> panic.

But I don’t want to create a www certificate (some customers are invisible).

And I use preload, so this wouldn’t work.


closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.