Domain name "svn.example.com" is redundant with wildcard domain


#1

Hi,

I want to use ‘svn.example.com’ as the default name of my wildcard cert, because of svn clients does not support multiple domain cert.

When I run:

certbot certonly -d svn.example.com -d example.com -d *.example.com

Result:

The request message was malformed :: Error creating new order :: Domain name “svn.example.com” is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.

I remember that a few months ago it was possible to apply for such a certificate.


#2

THIS:

CONTAINS:

There is no need for it.

Try separating the certs into two exactly configured vhost files.
or maybe…
using --cert-name svn.example.com

one vhost for just svn.example.com (which can be also be the default)
and one for the wildcard and root domain.


#3

:frowning: Just for compatibility with software that does not support multiple-domain cert.


#4

Then it probably may not like SNI either.
That is why I mention making the SVN vhost a separate cert and also the default site for the IP.

The good news is they are on sale today !
Buy one for FREE and get the second one for FREE ! ! !
LOL


#5

It was, briefly. Let’s Encrypt never desired to support overlapping certificates, but they enabled wildcard support before updating the CA software to block overlapping wildcards.

Edit: Can you put *.example.com first?


#6

I think LE will always alphabetize the list of names.
But that can easily be tested.


#7

copy VHOST.conf to VHOSTWILD.conf

in VHOST.conf use
servername svn.example.com

in VHOSTWILD.conf use
servername example.com
serveralias *.example.com

run certbot and get/renew both as normal

NOTE: be sure the two configs are ordered alphabetically in that way (with SVN first)


#8

The SAN list is alphabetized, but the first argument is used for the CN.

I just did it with a staging certificate.

        Issuer: CN=Fake LE Intermediate X1
        Validity
            Not Before: May 28 02:02:14 2018 GMT
            Not After : Aug 26 02:02:14 2018 GMT
        Subject: CN=*.letsencrypt.mattnordhoff.info

            X509v3 Subject Alternative Name: 
                DNS:*.letsencrypt.mattnordhoff.info, DNS:letsencrypt.mattnordhoff.info

#9

Cool ! ! !
Now if his devices are able to match the SVN request with * he is good to go.
If not, I say, feed them SVN and SNI the rest over a separate vhost config.


#10

Thanks!

The param --cert-name works!


#11

Can you share the PUBLIC cert or domain name so we can see/learn from it?

Either way, I’m glad that helped.


#12

I think it does not work well. :frowning:


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.