Else-something.example.com not matching *.example.com. Why?


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: unexpected-studio.com

I ran this command: ./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d “*.unexpected-studio.com” --manual --preferred-challenges dns-01 certonly

It produced this output: Everything went fine

My web server is (include version): nginx - 1.10.3-0ubuntu0.16.04.2

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Nop

Hi there !

I have a simple question about what wildcard certificate would cover. Let’s take *.unexpected-studio.com, I know that something.unexpected-studio.com will word and else.something.unexpected-studio.com won’t. But in my case we do have some domains that match else-something.unexpected-studio.com. The last case won’t match *.unexpected-studio.com and I can’t really understand why.

Do someone has an explanation about this behavior ?

Thanks !


#2

Do you have a subdomain which actually has a DNS hostname so we can test? Because else-something.unexpected-studio.com doesn’t have an IP address associated with it.

By the way, the certificate for www.unexpected-studio.com doesn’t have the wild card hostname in its SAN list, it’s only valid for www.unexpected-studio.com and unexpected-studio.com, NOT for *.unexpected-studio.com.

Is the wild card certificate correctly installed?


#3

Hello,

Sorry for the late answer, but yes we have subdomain. You can test api-conv.unexpected-studio.com and notif.unexpected-studio.com. Here’s the output of a simple curl for the 2 domains :

Shino@MacBook-Pro-de-Johan ~/D/U/ssl> curl -Lv https://notif.unexpected-studio.com > /dev/null
* Rebuilt URL to: https://notif.unexpected-studio.com/
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                             Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 217.182.130.236...
* TCP_NODELAY set
* Connected to notif.unexpected-studio.com (217.182.130.236) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [93 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2530 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [365 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [102 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.dwarf-game.com
*  start date: Mar 26 06:59:03 2018 GMT
*  expire date: Jun 24 06:59:03 2018 GMT
*  subjectAltName: host "notif.unexpected-studio.com" matched cert's "*.unexpected-studio.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: notif.unexpected-studio.com
> User-Agent: curl/7.54.0
> Accept: */*

curl -Lv https://api-conv.unexpected-studio.com > /dev/null
* Rebuilt URL to: https://api-conv.unexpected-studio.com/
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                               Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 217.182.130.236...
* TCP_NODELAY set
* Connected to api-conv.unexpected-studio.com (217.182.130.236) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [93 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2942 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [365 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [102 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=api-ffs.zerator.com
*  start date: Apr  9 07:37:47 2018 GMT
*  expire date: Jul  8 07:37:47 2018 GMT
*  subjectAltName: host "api-conv.unexpected-studio.com" matched cert's "api-conv.unexpected-studio.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: api-conv.unexpected-studio.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Server: nginx
< Date: Mon, 09 Apr 2018 08:47:59 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
< Strict-Transport-Security: max-age=3600; includeSubDomains
< X-IPLB-Instance: 17494
<
{ [232 bytes data]
100   221    0   221    0     0    676      0 --:--:-- --:--:-- --:--:--   677

As you can see, the loadbalancer uses 2 differents certificates for the same domain. And I still can’t understand why -.unexpected-studio.com is not working.

Regards


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.