SSL: certificate subject name (* does not match target host name ''


Web server: Apache/2.4.18 (Ubuntu)
Operating system my web server runs on: Ubuntu 16.04
Can login to a root shell on my machine: Yes
Using a control panel: No

Obtained wildcard certificate with certbot-auto with the following command:

sudo ./certbot-auto certonly \
--server \
--manual --preferred-challenges dns \
--renew-by-default \
-d *

Got the following 4 files

cert.pem chain.pem fullchain.pem privkey.pem

in location /etc/letsencrypt/live/

Setup Apache Vhost file with following:

<VirtualHost *:80>
   Redirect permanent /
<VirtualHost *:443>
	DocumentRoot /var/www/html
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/
        SSLCertificateKeyFile /etc/letsencrypt/live/
	SSLCertificateChainFile /etc/letsencrypt/live/
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

Then restarted apache server but browsers are complaining:


The virtual host is working as it redirects http to https.

curl -v

* Rebuilt URL to:
*   Trying
* Connected to ( port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 604 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* SSL: certificate subject name (* does not match target host name ''
* Closing connection 0
curl: (51) SSL: certificate subject name (* does not match target host name ''

What could be the cause of error ?


Hi @quakig

if you want to use a wildcard-certificate * with - you have to create a wildcard certificate with two names:


* doesn’t match

So you need two dns-entries with the same name

and two different values.


This is correct, and a really common mistake. * matches exactly that, something (dot) hcx (dot) global. It will not match or

You need to add the base domain as a second name if you want the certificate for be valid for it.


Inspired by rules for wildcards in Unix and DOS, where if the dot is present in the wildcard, it must also be present in matched filename.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.