I have read that, whilst not always supported by all browsers, it is possible to have a wildcard certificate for sub-subdomains - i.e. signing for *.*.example.com.
Is this something that is supported at all in Let's Encrypt, aside from any technicalities with certbot or similar in performing the renewal process? Do Let's encrypt sign wildcards for more than one level of subdomain?
Thanks
No, this is not supported. Only a single wildcard is supported, and it must be the leftmost label.
Cool, thanks! Out of interest, is there a particular reason - technical, poilicy, etc.?
I don't know where you might have read that, but I can't imagine it being correct. I'm pretty sure no public CA does it.
I came across this with a client at work, and however they managed it, they did get it sorted with their CA in the end, so from memory I think I have seen one in the wild.
I see a few mentions of it through google; IIRC, some workarounds are possible but not always successful.
I second @danb35's conclusion. I've never seen one of these in the wild, but I have seen plenty of requests for them.
Yes, it is a shame. Oh well, thanks for getting back to me so quickly!
Only *.example.com style wildcards are permitted by the baseline requirements, where a * is immediately followed by a . and then an otherwise fully-qualified domain name.
Thus the following aren't permitted:
*foo.example.com - needs to be a . following the wildcard
foo.*.example.com - * must be the leftmost label
Other combinations like *.*. are also not permitted.
Wildcards also can't be used for a "Public Suffix" like *.com or *.co.uk
To exemplify even further:
formats not permitted:
some*name.example.com
somename*.example.com
*somename.example.com
other reasons a wildcard cert won't be allowed/issued:
has too many dots [in the case of LE = only 10 dots in the FQDN part of the name are allowed]
has too long a name [in the case of LE = only 63 character (including dots) length are allowed]
permitted:
*.[plus a "normal/valid" FQDN]
*.somename.example.com
*.some.really-long.folder.name.with-dash-es.example.com
To be clear, this restriction comes from these definitions in the Baseline Requirements:
Wildcard Domain Name : A string starting with "*." (U+002A ASTERISK, U+002E FULL STOP) immediately followed by a Fully-Qualified Domain Name
Fully-Qualified Domain Name: A Domain Name that includes the Domain Labels of all superior nodes in the Internet Domain Name System.
Domain Name: An ordered list of one or more Domain Labels assigned to a node in the Domain Name System.
Domain Label: From RFC 8499 (RFC 8499 - DNS Terminology): "An ordered list of zero or more octets that makes up a portion of a domain name. Using graph theory, a label identifies one node in a portion of the graph of all possible domain names."
It's a bit of a mouthful, but as the others said, it boils down to: if there is an asterisk, it can only be at the very beginning, immediately followed by a period, and then a "normal" (i.e. no more asterisks) domain name.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.