Domain name "svn.example.com" is redundant with wildcard domain

dallaslu · May 28, 2018, 2:42am

Hi,

I want to use 'svn.example.com' as the default name of my wildcard cert, because of svn clients does not support multiple domain cert.

When I run:

certbot certonly -d svn.example.com -d example.com -d *.example.com

Result:

The request message was malformed :: Error creating new order :: Domain name "svn.example.com" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.

I remember that a few months ago it was possible to apply for such a certificate.

rg305 · May 28, 2018, 2:45am

THIS:

CONTAINS:

There is no need for it.

Try separating the certs into two exactly configured vhost files.
or maybe...
using --cert-name svn.example.com

one vhost for just svn.example.com (which can be also be the default)
and one for the wildcard and root domain.

dallaslu · May 28, 2018, 2:48am

Just for compatibility with software that does not support multiple-domain cert.

rg305 · May 28, 2018, 2:52am

Then it probably may not like SNI either.
That is why I mention making the SVN vhost a separate cert and also the default site for the IP.

The good news is they are on sale today !
Buy one for FREE and get the second one for FREE ! ! !
LOL

mnordhoff · May 28, 2018, 2:52am

It was, briefly. Let's Encrypt never desired to support overlapping certificates, but they enabled wildcard support before updating the CA software to block overlapping wildcards.

Edit: Can you put *.example.com first?

rg305 · May 28, 2018, 2:55am

I think LE will always alphabetize the list of names.
But that can easily be tested.

rg305 · May 28, 2018, 3:02am

copy VHOST.conf to VHOSTWILD.conf

in VHOST.conf use
servername svn.example.com

in VHOSTWILD.conf use
servername example.com
serveralias *.example.com

run certbot and get/renew both as normal

NOTE: be sure the two configs are ordered alphabetically in that way (with SVN first)

mnordhoff · May 28, 2018, 3:04am

The SAN list is alphabetized, but the first argument is used for the CN.

I just did it with a staging certificate.

        Issuer: CN=Fake LE Intermediate X1
        Validity
            Not Before: May 28 02:02:14 2018 GMT
            Not After : Aug 26 02:02:14 2018 GMT
        Subject: CN=*.letsencrypt.mattnordhoff.info

            X509v3 Subject Alternative Name: 
                DNS:*.letsencrypt.mattnordhoff.info, DNS:letsencrypt.mattnordhoff.info

rg305 · May 28, 2018, 3:06am

Cool ! ! !
Now if his devices are able to match the SVN request with * he is good to go.
If not, I say, feed them SVN and SNI the rest over a separate vhost config.

dallaslu · May 28, 2018, 3:11am

Thanks!

The param --cert-name works!

rg305 · May 28, 2018, 3:13am

Can you share the PUBLIC cert or domain name so we can see/learn from it?

Either way, I’m glad that helped.

dallaslu · May 30, 2018, 4:21pm

I think it does not work well.

system · June 29, 2018, 4:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.