Problem with unregistered arbitrary subdomains

I have a demo ASP.NET Core application hosted at, and a let's encrypt ssl certificate for that subdomain is installed. I also have a separate working let's encrypt ssl cert for the root domain, All is fine, but typing in just any subdomain like shows a "Your connection is not private" privacy error page with the error: "NET::ERR_CERT_COMMON_NAME_INVALID". Then, clicking on the advanced button and then the "Proceed to" link takes me to the page with a "Not Safe" indication where the ssl padlock would usually be. And it actually shows the contents of the subdomain site. How can I prevent this from happening?

I thought maybe my A and CNAME DNS records might be misconfigured but I think they seem alright, as far as I know. But they could be misconfigured all the same.

BTW, I tried to install a let's encrypt wildcard ssl cert, but it was a pain in the neck. I simply couldn't get past the step of adding the specified dns record and continuing the setup process.


Welcome to the Let's Encrypt Community :slightly_smiling_face:

Remove this and you'll be fine:
* 3599 IN CNAME

Either specify the CNAMEs of your subdomains individually or you'll have to gracefully handle all the unspecified ones in your webserver configuration.

The host/name of the TXT record for * should be This is the same host/name of the TXT record for They will have different values though, which will be specified by your ACME client.


Hi @PlexiClass

that behaviour is a result of your configuration - see

Host Type IP-Address is auth. ∑ Queries ∑ Timeout A Piscataway/New Jersey/United States (US) - Choopa Hostname: yes 1 0
AAAA yes A Piscataway/New Jersey/United States (US) - Choopa Hostname: yes 1 0
AAAA yes
* A yes
AAAA yes

You have a wildcard dns, so every subdomain has an A record.

Conclusion: Remove that wildcard.

Curious definition of "fine" you have :stuck_out_tongue: Substitute a (valid!) certificate error with a DNS NXDOMAIN error :wink:

Perhaps I don't grasp the actual issue here, but isn't the answer to this not just "Don't enter random and non-functional hostnames in the address bar of your browser."?

Removing the wildcard "*" CNAME DNS record fixed it. I had a feeling that this was the culprit. Thanks.

"Don't enter random and non-functional hostnames in the address bar of your browser." -- Well I'm just a curious guy and very thorough in everything. So I just happened to test it with a non-functional subdomain. :wink:


If there is no A- or CNAME wildcard record, there is no ip address, so there is no such answer.


That's very true, like I said, you're substituting error A for error B.

But I guess it's true a NXDOMAIN error is more correct than a certificate error.

1 Like

A NXDOMAIN error says: "The url in your browser is wrong, change that, may be a typo" -> user problem

A certificate error is a configuration problem of that webserver port 443 with that ip address -> webmaster problem


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.