Wildcard www.xxx.com is secure but xxx.com not


#1

HI,`Preformatted text

I have problem with the wildcard, www.xxx.com is secure but when i enter xxx.com is marked as unsecure.
The cert is issue as *.xxx.com. But why is marked as insecure?

My config:

<VirtualHost *:80>
        ServerName zyt-inf02.intern.xxx.com
        ServerAdmin admin@xxx.com

        ServerAlias xxx.com www.xxx.com

        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule / https://%{HTTP_HOST}%{REQUEST_URI}
    Preformatted text`RewriteCond %{SERVER_NAME} =zyt-inf02.intern.zyto-labor.com [OR]
    RewriteCond %{SERVER_NAME} =zyto-labor.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R=permanent]
    </VirtualHost>

    <VirtualHost *:443>
            ServerName zyt-inf02.intern.xxx.com
            ServerAdmin admin@xxx.com

        ServerAlias www.xxx.com xxx.com

        CustomLog /var/log/apache2/www.xxx.com-access.log combined
        ErrorLog /var/log/apache2/www.xxx.com-error.log

        SSLEngine on
        SSLProtocol all
        SSLCipherSuite HIGH:MEDIUM


    Include /etc/letsencrypt/options-ssl-apache.conf

    RequestHeader set X-FORWARDED-PROTO "https"

    ProxyPreserveHost On
    ProxyPass / http://zyt-www.intern.xxx.com/
        ProxyPassReverse    / http://zyt-www.intern.xxx.com/


        <Location />
                Order deny,allow
                Allow from all
        </Location>

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
                        SSLCertificateFile /etc/letsencrypt/live/xxx/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxx/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/xxx/chain.pem
'''

Best regards,

Daniel


#2

*.example.org does not cover example.org. You need to include the latter as a separate name on the certificate.


#3

Just in case:
Wildcard for *.xxx.com will not stretch into subdomains to cover *.intern.xxx.com.
Nor will it work the other way around…
Wildcard for *.intern.xxx.com will not shrink down into parent domain to cover *.xxx.com.

In short: The “asterisk” will equate to all letters and number (and even hyphens and underscores).
But the “asterisk” will never include/cover a “period” nor an “empty” entry (like: xxx.com).