Wildcard certificate is considered invalid by Google Chrome

My domain is:
sdxlive.com

in /etc/nginx/:sites-enabled/git.sdxlive.com.conf
ssl_certificate /etc/nginx/tls/sdxlive.com.chained.crt;
ssl_certificate_key /etc/nginx/tls/sdxlive.com_rsakey.pem;

systemctl restart nginx

It produced this output:
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-09-24 17:56:10 CEST; 1s ago
Docs: man:nginx(8)
Process: 26779 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 26794 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 26795 (nginx)
Tasks: 5 (limit: 4915)
Memory: 13.6M
CGroup: /system.slice/nginx.service
├─26795 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─26796 nginx: worker process
├─26797 nginx: worker process
├─26798 nginx: worker process
└─26799 nginx: worker process

Sep 24 17:56:10 systemd[1]: Starting A high performance web server and a reverse proxy server…
Sep 24 17:56:10 systemd[1]: Started A high performance web server and a reverse proxy server.

My web server is (include version):
nginx 1.17.3

The operating system my web server runs on is (include version):
Ubuntu 19.10

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
ansible 2.8.5

So, there is no issue with a lets encrypt SAN certificate: chrome is happy with it.
Switching to a lets encrypt wildcard certificate and restarting nginx makes chrome frown with a “invalid certificate” wince.
The wildcard certificate has just been successfully obtained from let’s encrypt.

Since then, I have switched back to a SAN certificate.

I don’t see any *.sdxlive.com certificates in CT search websites.

https://crt.sh/?q=%sdxlive.com

There were three certificates for sdxlive.com issued today, but that’s not a wildcard. It just works for https://sdxlive.com/.

You probably want a certificate that includes both sdxlive.com and *.sdxlive.com.

Hi @jean-christophe-manc

there is the certificate with the subdomain git:

CN=git.sdxlive.com
	02.08.2019
	31.10.2019
expires in 37 days	git.sdxlive.com - 1 entry

So

  • it's not a wildcard certificate
  • and it's invalid

Do you have an own vHost with your main domain?

OK, my bad.
I reissued another wildcard certificate with both “*.sdxlive.com” & “sdxlive.com” in alt name.
Now chrome is happy.
Thanks.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.