Sub-subdomain (second level subdomains) and wildcard certificate


I’m using on a FreeBSD iocage jail with nginx and other instances with apache24.
I’m running at home a FreeNAS host which is exposed by a DynDNS through a Fritz!box.

I want to know, if it is currently possible for me to use a wildcard certificate for (nginx), (non standard 443 port, apache24) and several sub-subdomains like * e.g. Also offers as TLD *.bz and *.eu and AVM Fritz!box is available on

Though I don’t controll,, or

For wildcard certificates, you’ll need to be able to control the DNS settings of the (sub-)sub domain. It isn’t necessary to control the “base” domain, as long as you can add a TXT record to a specific subdomain of the (sub)domain you want a certificate for. For example: you’ll need to be able to add a TXT record called to the public DNS.

Thank you very much. So I have to find out, if I can sufficiently control my subdomain, to add that record in the DynDNS section.

I was wondering, if --stateless mode might working as well. But it seems to rely on the DNS TXT method.

stateless mode, command to output thumbprint #575

Any way to make “stateless” work with wildcard ssl request? #1965

»Neilpang ### Neilpang commented [on 16 Dec 2018]
wildcard cert must use dns method.«

Hi @floogy

it's possible to create such a certificate.

But it may not work. Checked your domain ( )

name "" is subdomain, public suffix is "bz", top-level-domain-type is "country-code", Country is Belize, tld-manager is "University of Belize" isn't on the public suffix list.

Result: You use a subdomain, not a domain.

Per domain are max. 50 new certificates per week possible.

If you check

you see: There are a lot Letsencrypt certificates.

There are other users with the same domain and the same problem. Creating new certificates was nearly impossible. It's a general problem, the owner of should add the domain to the public suffix list.

Thank you, does this apply to the as well?

Yes, it's a general problem using something from selfhost.*

None of these selfhost - domains are on the public suffix list.

I’ve updated my tool, so now - - subdomains are visible. There is no valid certificate with, that had blocked.

The result:

Last Certificates - Certificate Transparency Log Check (BETA)

Issuer last 7 days active num Certs
CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 33 456 3390
CN=Let’s Encrypt Authority X1, O=Let’s Encrypt, C=US 0 0 67
CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, C=GB, ST=Greater Manchester 0 9 27
CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, C=GB, ST=Greater Manchester 0 4 6
CN=StartCom Class 1 DV Server CA, OU=StartCom Certification Authority, O=StartCom Ltd., C=IL 0 0 6
CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, C=GB, ST=Greater Manchester 0 0 1
CN=WoSign CA Free SSL Certificate G2, O=WoSign CA Limited, C=CN 0 0 1
CN=Symantec Basic DV SSL CA - G2, OU=Domain Validated SSL, O=Symantec Corporation, C=US 0 0 1

In the last 7 days 33 certificates were created.

So if you have luck, you can create some certificates.

But 50 per week per domain are the maximum if there isn’t an exception and if the domain isn’t part of the Public Suffix List.

PS: Checked the, there are 112 certificates in the last 7 days. So there are max. 50 new, all other are renews.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.