Error on the 4 level domain

On 11 November I renewed the wilcard certificate for *

The certificate on first, second and third level work fine and is recognized by the browser.

While the fourth level gives me the following error:


My server is Linux Ubuntu 16.04.5 LTS

My Webserver is nginx version: nginx/1.14.0

Wildcard labels in certificates are only valid for one level, which is the level they're on.

That is, a certificate for * is valid for, and so on, but not for You would need a wildcard covering * Note that the wildcard can only ever be the leftmost part in the DNS name.

It is also not valid for higher levels, that is * is not valid on the apex or on the TLD .com (which is why you usually want to include both apex and the wildcard as an alternative name in the certificate).

This not a restriction by Let's Encrypt, but just the way how wildcards are currently specified/implemented in X.509 certificates/validators.

See also RFC 6125 which talks about the topic.


Also note that only a single wildcard is allowed. So e.g. *.* is invalid.

(@Nummer378 already said as much, but I'd like to clarify that "can only be the leftmost part in the DNS name" is restricted to a single *.)


And to further clarify the unnecessary and obvious, the following are also all invalid:


1 Like

Something is changed !
Until October, with automatic renewal every 3 months,
I had 4 certificates:

cert.pem, chain.pem, fullchain.pem , privkey.pem

I was using these for all domain levels:

Those 4 files are just a single certificate.


They should be the components of the wildcards that covers all of


Not all of as already said earlier.

At this moment I'm not sure what your current question/problem really is. Without your actual domain name and/or a lot more information, I'm not sure how to help you at this moment.


This statement need more... clarity:

A cert can hold up to 100 SAN entries.
[which can (all) be wildcard entries]
If you covered a name explicitly (without a wildcard) then, you should be able to do so now.
If you covered a name implicitly (with a wildcard) then, you should be able to do so now.
So...what has changed since October?


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.