Wildcard Certificates

I got a wildcard for two domains ssh3112.com and surlysavedhangler.com and www works but the domains don’t. I suppose we could add a redirect for the domains to www but is this by design?

So www.ssh3112.com and $any.ssh3112.com works great but ssh3112.com throws a cert error for the customer/client.

I love what ur doing here…it is sooo appreciated and respected. Thank you!

1 Like

Yes wildcard by itself doesn't cover base domain. You are free to add base domain as another SAN though

3 Likes

Thanks orange, im using certbot on centos and it’s brilliantly easy, can u point me in the right direction? I could probably stumble and stammer onto the right doc eventually but if ya got one, could ya share it? Shameless I know, I’m sorry :slight_smile:

Most likely multiple -d options, make not sure to it'd create new one or modify old renewal config

2 Likes

I tried that…but I didn’t try 4 -d in one command

• *.ssh3112
• *.surly
• ssh3112
• surly

I’ll try that.

1 Like

I got it working and u helped greatly, thank you!

2 Likes

False alarm, it doesn’t work. I’m using nginx with one server block and 3 certificate entries.

• ssh3112
• surly
• *.ssh3112 *.surly

And now only the first two work, the wildcard doesn’t. More investigation I guess.

Assuming you are using Cerbot:

certbot certificates will show what certificates are being managed.

you may need to manually update the apache/nginx config files to use the right certificates. your specific onboarding/enrollment of adding the domain names afterwards may have complicated the automatic installer.

also, I would suggest descoping this into 2 certificates, one for each "registered" domain. e.g. "example.com + *.example.com" on a cert. This will avoid issues/work required if one domain is sold / registration lapses / dns botched / misc issues. That happens often.

3 Likes

Yeah, I think ur right. Can I just delete the certs and start over? Is that descoping? I can look it up too.

I think I found an answer, mv /etc/letsencrypt

Also, it’s difficult to articulate how epic this is. It’s been years since I messed with certs. They used to be not cheap and wildly painful and slow…this is none of that.

Just brilliant, I am so impressed.

If this is a gvt something, the rest of our gvt could use lotsa “this” epic goodness.

3 Likes

No, please do not modify those folders manually. Think of them as the certbot database and only use its commands to modify the contents

certbot delete --cert-name X

from

certbot certificates

Also see below if deleting certs already in use
https://eff-certbot.readthedocs.io/en/latest/using.html#safely-deleting-certificates

4 Likes

It is not :slight_smile:

2 Likes

Roger that, thank you so much!

2 Likes

Bingo! Brilliant…thank you so much.

2 Likes