SSL certificate for 2-level subdomain

Question: Certificate is generated however gives a ERR_CERT_COMMON_NAME_INVALID error
Question: Do I need to give certificate request for *.example.com and *.subdom1.example.com, create a chain? Would requesting *.example.com be affected by or affect test.example.com?

Details below...

My domain is: Say example.com
I ran this command:

  • I am using IBM Cloud - Internet Services and Certificate Service for creating the SSL certificates.
    Background:
  • This is a POC environment, already has Digicert certificate for say test.example.com
  • Now, trying to create a LetsEncrypt certificate for say *.subdom1.example.com for a machine that is not controlled by us, but need to be on the same domain for redirection with SSO.
  • Certificate is generated however gives a ERR_CERT_COMMON_NAME_INVALID error
    Question: Do I need to give certificate request for *.example.com and *.subdom1.example.com, create a chain? Would requesting *.example.com be affected by or affect test.example.com?

It produced this output:

  • Certificate is generated however gives a ERR_CERT_COMMON_NAME_INVALID error

My web server is (include version): React.js 16.13.1
The operating system my web server runs on is (include version): Linux on Kubernetes (not sure about exact flavor and version)

My hosting provider, if applicable, is: DNS and Certificates generated on IBM Cloud (SoftLayer), certificates are used in Azure

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): IBM Cloud Internet Services and Certificate Services

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Not using certbot

As best as I can discern your question, it seems that the site that is causing the error is providing a cert that doesn't match the name shown in the URL.
If both names go to/through the same IP, then that IP will need both certs (or one cert with both names) and the full understanding of SNI (in order to serve the right cert to match the requested name).

But this is really not a forum for technical design questions.
Especially those that are required by, or for, for profit business(es).
We volunteer here to help those that have tried to use ACME clients to obtain LE certs and have run into trouble.

[we don't get paid - and we didn't signup to help everyone/company who has any cert related problem]

But maybe that's just the sceptic in me talking...wait five minutes and someone else might be at the helm.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.