No *.*.domain.com certificate allowed


#1

hi,

The request message was malformed :: Error creating new order :: DNS name had more than one wildcard

Is it intentionally disallowed, technically not possible or bug?
I use certbot on linux (Ubuntu Xenial).

Thank you,
tamas


#2

That error would occur if you tried e.g.

*.*.example.org

Wildcards can only appear once as the left-most label in a DNS name.

It’s fine to have a certificate that’s like:

*.example.org
*.x.example.org

Make sure you invoke Certbot with each domain separate:

-d "*.example.org -d "*.x.example.org"

not

-d "*.example.org,*.x.example.org"

or something.


#3

Indeed, later I (we) realized it.
I rewrote the original question.

What’s the reason behind it?
Is it technically not possible?


#4

I’m not sure whether x.509 actually prohibits it, but many browsers and other TLS clients do not understand how to interpret multiple wildcards in a name, so it would be pointless for any CA to issue such a certificate.

That said, looks like they’ve been issued in the past: https://crt.sh/?q=*.*% but they seem to all be revoked, which would indicate that the CABF BRs do not allow it.


#5

Correct.  


#6

It would be so great if it changes in the future.

Thanks yo letsencrypt we can generate a bunch of certificate. However, the new certificate generation and renewal time limit is quite painful.
..domain.com certificates would help to avoid and workaround such an issue:/


#7

Why? It’s a rare case where there’s a legitimate need for a single wildcard. In what cases do you really need two levels of wildcards?


#8

It’s quite common here using subdomains.

Like:

service1.client1.domain.com
service2.client1.domain.com

And so on…

Unfortunately the request limit is counted for *.domain.com .


#9

That’s not an uncommon pattern. If you have a legitimate need, you can request a higher rate limit. You can find the link on https://letsencrypt.org/docs/rate-limits/


#10

In such a scenario, domain.com should probably be on the public suffix list, unless you want all your clients to be sharing cookies.


#11

Actually what’s the common pattern?
I’m interested, how companies use letsencrypt. In smaller scale it’s not an issue, but in larger one there are so many.
Is there best practice guide to help sysadmins to avoid such issues and also request for increasing the limit? I guess they don’t do it easily for everyone.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.