Wildcard names incomplete?

Are you sure the wildcard cert for

CN=*.domain.example

should be with only one

X509v3 Subject Alternative Name:
DNS:*.domain.example

and not be complete to cover the root domain itself like this:

X509v3 Subject Alternative Name:
DNS:*.domain.example
DNS:domain.example

I'm afraid certs with only one alternative name DNS:*.domain.example will not work for

https://domain.example

The staging v2 issues incomplete wildcard certs in my opinion, will you fix this in production?

Its up to the client to setup the SAN list in the CSR. If you only request a certificate for *.example.com without adding example.com to the SANs, it's most probably your fault.

3 Likes

You'll get one challenge and this
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Error finalizing order :: Order includes different number of names than CSR specifies",
"status": 403
for csr with both domain itself and *. for subdomains.

You need to submit the same identifiers that you intend to use in the finalization CSR in your initial newOrder request.

edit: To clarify what's already been said: this isn't a bug in our Wildcard implementation.

2 Likes

If you have a server that handle request for * .example.com and another for example.com it may create some security issues if you can't have a certificate valid only for "*.example.com".

1 Like

I think this is not an bug but an feature that shows another point why the challange for
wildcard and domain should be different. For example and company have an Hosting Location where customerXY.domain is hosted on one server and another location with only domain for the company representation and they maybe like to separate this two certificates. But it should be mentioned prominently that often both names should be included.
So that it over more flexibility to the users.

Thank you guys, I got the point.
I successfully received the cert for *.domain.example and domain.example
using a .csr with cn=domain.example and
both

X509v3 Subject Alternative Name:
DNS:domain.example, DNS:*.domain.example

# INFO: Using main config file /etc/dehydrated/config
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for domain.example
 + Found valid authorization for domain.example
 + Handling authorization for domain.example
 + Found valid authorization for domain.example
 + 0 pending challenge(s)
 + Requesting certificate...
 + Checking certificate...
 + Done!
2 Likes

A post was split to a new topic: Wildcard issuance: two TXT records for the same name

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.