Wildcard ssl certificate showing mismatch

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:whistleelectric.com

I ran this command:i have checked on ssl checker its saying ssl mismatch=

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

Hi, to get a wildcard certificate and use it for both subdomains and your primary domain (like www.whistleelectric.com ANF whistleelectric.com) you need to include both name *.whistleelectric.com AND whistleelectric.com

The wildcard doesn't cover the higher level domain, just the subdomain.

You will also need to update the TXT challenge response record with two different values (one for the primary domain challenge, the other for the wildcard, which can be quite confusing).


When you acquired your certificate, you didn't include your apex domain, only the wildcard subdomains. For a wildcard cert, you need your apex domain whistleelectric.com and your wildcard subdomains *.whistleelectric.com.

You'll have to add your apex domain to the cert or get a new cert with both the apex domain and your wildcard.

certbot --cert-name *.whistleelectric.com -d whistleelectric.com ,*.whistleelectric.com

One other thing. You have TSLv1 enabled. If your site is an e-commerce site, that should be disabled.

"You currently have TLSv1 enabled.
This version of TLS is being phased out. This warning won't break your padlock, however if you run an eCommerce site, PCI requirements state that TLSv1 must be disabled by June 30, 2018. "


Now that is a strange name to use.
I suppose all things related might be able to use that name... it just looks strange :crazy_face:

I would use something more like a name:
--cert-name whistleelectric.com-wildcard


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.