Does wildcard order in certificate matter?

BrettD · May 20, 2019, 11:49pm

Does wildcard need to be in SAN or can it be the main domain name, for it to reliably work across different clients?

(I accidentally generated a certificate with the wildcard as the main domain, not SAN)

Thank you!

Brett

_az · May 21, 2019, 12:04am

CN (which I guess is what you mean by main domain) is deprecated and will disappear eventually.

The only clients that have trouble with SAN/CN order that I can think of are really old versions of Outlook. I’m not aware of any others.

BrettD · May 21, 2019, 12:36am

Thanks - good to know!

I meant CN. (I see both are listed in the actual cert:
Not Critical
DNS Name: *.ottawajazzscene.ca
DNS Name: ottawajazzscene.ca

SSLabs ssltest gave me an A, which I concluded meant no real problems, but I wanted to check.

I was referring to the field name output by acme.sh. I flipped the fields trying to debug/resolve what turned out to be an unrelated problem:

Main_Domain KeyLength SAN_Domains Created Renew
*.ottawajazzscene.ca “” ottawajazzscene.ca Mon May 20 02:41:13 UTC 2019 Fri Jul 19 02:41:13 UTC 2019
ottawajazzscene.ca “” *.ottawajazzscene.ca Mon May 20 02:27:52 UTC 2019 Fri Jul 19 02:27:52 UTC 2019

Which BTW generates the oddest directory name for the cert files I have ever seen since using Unix/Linux since the 80s: ‘*.ottawajazzscene.ca’ (including the quotes). This ugliness alone is a good reason to assign the root domain to the CN…

(I wasted renewals testing when I couldn’t use --staging to debug, so am dangerously close to my weekly quota, if not there already.)

_az · May 21, 2019, 12:49am

Take note of this text from acme.sh's README:

After the cert is generated, you probably want to install/copy the cert to your Apache/Nginx or other servers. You MUST use this command to copy the certs to the target files, DO NOT use the certs files in ~/.acme.sh/ folder, they are for internal use only, the folder structure may change in the future

Use --install-cert and avoid the naming hell.

BrettD · May 21, 2019, 1:31am

Thank you for pointing this out. I definitely used that (and my original problem was an error in the install arguments like “–cert-file” etc.)

system · June 20, 2019, 1:37am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Wildcard names incomplete? Issuance Tech	8	4968	March 31, 2018
Wildcard renewal: "Certificate did not match expected hostname"? Help	8	6011	September 24, 2018
SAN with redundant names Issuance Tech	8	1030	August 10, 2022
ACME v2 - Wildcard Requests and SANs? Issuance Tech	5	2646	February 23, 2018
Trouble validating a wildcard certificate Help	2	571	January 17, 2020

Does wildcard order in certificate matter?

Related topics