Problem with unregistered arbitrary subdomains

PlexiClass · December 12, 2020, 7:12pm

I have a demo ASP.NET Core application hosted at https://pgapartments.rajnarayanan.com, and a let's encrypt ssl certificate for that subdomain is installed. I also have a separate working let's encrypt ssl cert for the root domain, rajnarayanan.com. All is fine, but typing in just any subdomain like blah.rajnarayanan.com shows a "Your connection is not private" privacy error page with the error: "NET::ERR_CERT_COMMON_NAME_INVALID". Then, clicking on the advanced button and then the "Proceed to blah.rajnarayanan.com" link takes me to the blah.rajnarayanan.com page with a "Not Safe" indication where the ssl padlock would usually be. And it actually shows the contents of the pgapartments.rajnarayanan.com subdomain site. How can I prevent this from happening?

I thought maybe my A and CNAME DNS records might be misconfigured but I think they seem alright, as far as I know. But they could be misconfigured all the same.

BTW, I tried to install a let's encrypt wildcard ssl cert, but it was a pain in the neck. I simply couldn't get past the step of adding the specified dns record and continuing the setup process.

griffin · December 12, 2020, 7:24pm

Welcome to the Let's Encrypt Community

Remove this and you'll be fine:
*.rajnarayanan.com. 3599 IN CNAME rajnarayanan.com.

Either specify the CNAMEs of your subdomains individually or you'll have to gracefully handle all the unspecified ones in your webserver configuration.

The host/name of the TXT record for *.rajnarayanan.com should be _acme-challenge.rajnarayanan.com. This is the same host/name of the TXT record for rajnarayanan.com. They will have different values though, which will be specified by your ACME client.

JuergenAuer · December 12, 2020, 7:25pm

Hi @PlexiClass

that behaviour is a result of your configuration - see https://check-your-website.server-daten.de/?q=rajnarayanan.com

Host	Type	IP-Address	is auth.	∑ Queries	∑ Timeout
rajnarayanan.com	A	149.28.59.84 Piscataway/New Jersey/United States (US) - Choopa Hostname: 149.28.59.84.vultr.com	yes	1	0
	AAAA		yes
www.rajnarayanan.com	A	149.28.59.84 Piscataway/New Jersey/United States (US) - Choopa Hostname: 149.28.59.84.vultr.com	yes	1	0
	AAAA		yes
*.rajnarayanan.com	A	149.28.59.84	yes
	AAAA		yes
	CNAME	rajnarayanan.com	yes

You have a wildcard dns, so every subdomain has an A record.

Conclusion: Remove that wildcard.

Osiris · December 12, 2020, 8:10pm

Curious definition of "fine" you have Substitute a (valid!) certificate error with a DNS NXDOMAIN error

Perhaps I don't grasp the actual issue here, but isn't the answer to this not just "Don't enter random and non-functional hostnames in the address bar of your browser."?

PlexiClass · December 12, 2020, 8:19pm

Removing the wildcard "*.rajnarayanan.com" CNAME DNS record fixed it. I had a feeling that this was the culprit. Thanks.

"Don't enter random and non-functional hostnames in the address bar of your browser." -- Well I'm just a curious guy and very thorough in everything. So I just happened to test it with a non-functional subdomain.

JuergenAuer · December 12, 2020, 8:22pm

If there is no A- or CNAME wildcard record, there is no ip address, so there is no such answer.

Osiris · December 12, 2020, 8:23pm

That's very true, like I said, you're substituting error A for error B.

But I guess it's true a NXDOMAIN error is more correct than a certificate error.

JuergenAuer · December 12, 2020, 8:26pm

A NXDOMAIN error says: "The url in your browser is wrong, change that, may be a typo" -> user problem

A certificate error is a configuration problem of that webserver port 443 with that ip address -> webmaster problem

system · January 11, 2021, 8:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.