On 11 November I renewed the wilcard certificate for *.domain.com
The certificate on first, second and third level work fine and is recognized by the browser.
While the fourth level https://admin.internal.domain.com gives me the following error:
NET::ERR_CERT_COMMON_NAME_INVALID
My server is Linux Ubuntu 16.04.5 LTS
My Webserver is nginx version: nginx/1.14.0
Wildcard labels in certificates are only valid for one level, which is the level they're on.
That is, a certificate for *.example.com is valid for a.example.com, b.example.com and so on, but not for sub.a.example.com. You would need a wildcard covering *.a.example.com. Note that the wildcard can only ever be the leftmost part in the DNS name.
It is also not valid for higher levels, that is *.example.com is not valid on the apex example.com or on the TLD .com (which is why you usually want to include both apex and the wildcard as an alternative name in the certificate).
This not a restriction by Let's Encrypt, but just the way how wildcards are currently specified/implemented in X.509 certificates/validators.
See also RFC 6125 which talks about the topic.
Also note that only a single wildcard is allowed. So e.g. *.*.example.com is invalid.
(@Nummer378 already said as much, but I'd like to clarify that "can only be the leftmost part in the DNS name" is restricted to a single *.)
And to further clarify the unnecessary and obvious, the following are also all invalid:
x*.exmaple.com
*x.example.com
x*z.example.com
x.*.example.com
*example.com
**.example.com
Something is changed !
Until October, with automatic renewal every 3 months,
I had 4 certificates:
cert.pem, chain.pem, fullchain.pem , privkey.pem
I was using these for all domain levels:
Those 4 files are just a single certificate.
They should be the components of the wildcards that covers all of
Not all of .domain.com as already said earlier.
At this moment I'm not sure what your current question/problem really is. Without your actual domain name and/or a lot more information, I'm not sure how to help you at this moment.
This statement need more... clarity:
A cert can hold up to 100 SAN entries.
[which can (all) be wildcard entries]
If you covered a name explicitly (without a wildcard) then, you should be able to do so now.
If you covered a name implicitly (with a wildcard) then, you should be able to do so now.
So...what has changed since October?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.