Wildcard SSL cert does not work on subdomain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vadim.com.ru

I ran this command:

It produced this output:

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version):TrueNAS-SCALE-22.12.0

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I have added an entry to CNAME to my domain office.vadim.com.ru but my cert does not cover it for some reason. I installed it as a wildcard and it really should. It affects running Collabora (LibreOffice) on my own server. It worked for some time with disabled verification but it stopped working completely

Shall I add it here as a separate entry maybe? (pic 2)

Not according to the screenshots you posted--according to those (and according to the certificate search at crt.sh), your cert covers only vadim.com.ru, not *.vadim.com.ru. If you want it to be a wildcard cert, you need to include the wildcard subdomain in the cert.


Adding a CNAME doesn't magically create a wildcard certificate. Currently, there are no wildcard certificates issued for your domain: crt.sh | vadim.com.ru


So, can I add a CNAME from my domain to your domain...
test.example.com CNAME vadim.com.ru
And your cert will automatically cover the name I used as my test too?

Obviously, DNS can't insert a name into a certificate.
If you need a name in a certificate, then you must get a new certificate that covers that name.
You mention a wildcard [which would cover the extra name], but no wildcard has been issued for that domain:
crt.sh | vadim.com.ru


I hear two different suggestions here - yours and rg305? Which one is easier? Should I re-run as a wildcard or create a new one? Like so?

acme.sh --issue --dns dns_yandex -d '*.vadim.com.ru' --dnssleep 7200 
I am trying this one for now 

acme.sh --issue --dns dns_yandex -d office.vadim.com.ru --dnssleep 7200

Yes, and the error is exactly what it says--you haven't issued a cert for *.vadim.com.ru, so acme.sh can't renew that cert.

The command should be acme.sh --issue --dns dns_yandex -d vadim.com.ru -d *.vadim.com.ru --dnssleep 7200, assuming you want a wildcard cert (I assume you do, given your apparent belief that you already had one, but I wonder what made you think you had one). If you wanted a separate cert for office., you could do that instead, import it with a different name (i.e., set a different cert_base_name for my script), and tell the Collabora app to use that cert rather than the default letsencrypt cert. But a wildcard is probably the simpler way to go.


Thanks ! I've already run this command and waiting for dnssleep countdown - should I add it to the cert section in Truenas after that? pic 2

1 Like

You should, but I assume you're using my deploy script for that purpose:


I'm on TrueNAS Scale - is it good for it too? They are about to release a cert-manager with their next update some time next week

AFAIK my script works for SCALE too; the API endpoints and methods are all the same, at least according to the docs. I haven't heard anything about this cert-manager to know how relevant or useful it would be.


It is discussed in Discord channel for Truenas Scale support

I'll definitely try it - I'll put in the scripts folder along with truetool. In the meanwhile I got the new cert and copied it into the Certificates and got Collabora to use it. Everything is up and running and I really appreciate all the help from you gentlemen ( I assume so) :grinning:


You're confusing TrueNAS with TrueCharts; it's the latter who are planning to release cert-manager some time next month. TrueNAS doesn't have any plans that I've seen to do anything with cert-manager.


True - got confused

@danb35 I have another weird issue with this new wildcard cert - it works for my subdomain office.domain.com but does not work for nextcloud for some reason. That's what I get in the browser: vadim.com.ru uses an invalid security certificate.

The certificate is not trusted because it is self-signed.


View Certificate. As soon as I use my old one it works fine> How come?

wildcard dosent cover its base domain: you need a cert cover both


You mean I need 2 different certs for: domain and subdomains?

that or a cert that covers both


What kind of cert is it? I'd rather have one for both...

acme.sh --issue --dns dns_yandex -d vadim.com.ru -d *.vadim.com.ru --dnssleep 7200