Wildcard cert subdomain depth: Only 1 domain depth?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.works.wtf (literally.nothing.works.wtf)

I ran this command: bash ./certbot-auto certonly --manual -d *.works.wtf --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

It produced this output: `IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:` – Usual stuff, cert works normally.

My web server is (include version): Plesk Onyx (uses both apache and nginx for some reason)

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Onyx

Yes, wildcard certs only work for direct subdomains, as you’ve noticed. If you wanted a cert to work on literally.nothing.works.wtf, you would need to get a cert for *.nothing.works.wtf. If you also want to serve stuff on a subdomain of works.wtf, you could also add *.works.wtf to the certificate


Huh, well that’s a pain. Thanks for the information.

It’s also important to note that wildcards don’t inherently work for the base domain. E.g. *.works.wtf will not be valid for https://works.wtf. You would need to put both *.works.wtf and works.wtf on the certificate.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.