Wildcard subdomains work only if previously visited after installing certificate

sirhc · June 23, 2020, 1:52pm

My domain is: *.abc.atlasinbox.com

I ran this command: certbot certonly --manual --preferred-challenges=dns --register-unsafely-without-email --agree-tos -d *.abc.atlasinbox.com

It produced this output: Congratulations! etc… - the certificate was created and verified successfully.

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site: no

The version of my client is: certbot 0.26.1

The problem is very strange. Here are the steps I take:

I create a standard apache virtualhost:

<VirtualHost *:80>
    ServerAdmin contact@localhost
    ServerName abc.atlasinbox.com
    ServerAlias *.abc.atlasinbox.com
    DocumentRoot /var/www/test
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

I visit these domains in the browser:

http://a1.abc.atlasinbox.com
http://a2.abc.atlasinbox.com

The URLs work, the html loads properly.

Now I create a wildcard SSL domain:

<VirtualHost *:443>
    ServerAdmin contact@localhost
    ServerName abc.atlasinbox.com
    ServerAlias *.abc.atlasinbox.com
    DocumentRoot /var/www/test
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLCertificateFile /etc/letsencrypt/live/abc.atlasinbox.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/abc.atlasinbox.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

I generate and verify the certificate for it:

certbot certonly --manual --preferred-challenges=dns --register-unsafely-without-email --agree-tos -d *.abc.atlasinbox.com

I reload the server.

Now if I navigate to any of these 4 subdomains, they load properly:

http://a1.abc.atlasinbox.com
http://a2.abc.atlasinbox.com
https://a1.abc.atlasinbox.com
https://a2.abc.atlasinbox.com

But if I navigate to any other subdomain, they won’t work. For example:

http://a3.abc.atlasinbox.com
https://a3.abc.atlasinbox.com

will generate this error in the browser:

This site can't be reached
a3.abc.atlasinbox.com’s server IP address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN

You can’t ping it… it just doesn’t exist.

I tried different browsers, incognito modes, I tried several different subdomains, and I can always reproduce this problem: if I visit the URL before I set up the certificate, it will work; if I don’t, it won’t work, even without SSL.

I’m out of ideas… any help would be appreciated. Thank you!

JuergenAuer · June 23, 2020, 1:56pm

Hi @sirhc

that's expected.

You need dns entries domain name -> your ip address.

That's required so browsers are able to find your ip address.

The working vHosts (with a wildcard certificate) are step 2 / 3.

May be create a wildcard dns A record *.caldav.atlasinbox.com -> your ip address.

sirhc · June 23, 2020, 2:15pm

Thank you for your answer. I have an A record for *.atlasinbox.com set up. Adding a record specifically for *.abc.atlasinbox.com didn’t help.

I updated the question with the subdomains that actually demonstrate the problem.

These subdomains will work:

http://a1.abc.atlasinbox.com
https://a1.abc.atlasinbox.com

And these will not:

http://a3.abc.atlasinbox.com
https://a3.abc.atlasinbox.com

Deleting the certificate doesn’t restore the subdomains to a working order. Do you have any other ideas what the problem might be?

JuergenAuer · June 23, 2020, 2:26pm

It works.

You may have a wrong DNS cache. May be you have to wait some hours.

See a3.abc.atlasinbox.com - Make your website better - DNS, redirects, mixed content, certificates - it's possible to connect your domain

And the wildcard certificate is used:

CN=*.abc.atlasinbox.com
	23.06.2020
	21.09.2020
expires in 90 days	*.abc.atlasinbox.com - 1 entry

sirhc · June 23, 2020, 2:37pm

Thanks, it does work! So the problem is with the DNS server that my ISP uses? I still don’t understand why the certificate throws off the DNS server so it stops working…

JimPas · June 23, 2020, 5:26pm

As @JuergenAuer suggested,

It sometimes takes time for changes to propagate. Sometimes longer than expected.

JuergenAuer · June 23, 2020, 5:32pm

No, that's not a problem, that's normal. DNS is a slow system, that's an important idea of the DNS.

Your certificate doesn't change your dns server. That's completely independend.

Read

system · July 23, 2020, 5:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Wildcard sub domain not working Help	5	562	November 10, 2020
Wildcard subdomain points to insecure version of site Help	7	62	September 23, 2024
Wildcard subdomain cert doesnt work (before I created certs for main domain and another subdomains) Server	9	2512	December 29, 2018
Wildcard Certificates Help	15	289	May 3, 2024
Certbot and Wildcard Certificates Help	8	11188	August 7, 2023

Wildcard subdomains work only if previously visited after installing certificate

Related topics