Www not working with wildcard cert


I have created a wildcard cert for my site. It seems to work fine for the most part but there is an interesting problem. I can log in to the site using example.com, www.example.com, test.example.com, but not www.test.example.com. I have a self signed cert on my server for local access stuff and when I use www.test.example.com it looks at my self signed cert instead of my letsencrypt wildcard cert. I’ve tried using --expand to add www.example.com or www.(star).example.com to the cert but it won’t take it. It seems to be telling me www.example.com is covered by (star).example.com which makes sense since www.example.com works fine. It also tells me that www.(star).example.com is a malformed wildcard label. I am using virtual hosts on my server and they all have ServerAlias entries to add the www to the site address but it does not solve the problem. Have others noticed this? What"s the solution?



Wildcard is only included with first level subdomains

All subdomains like a.rxample.com, b.example.com, c.example.com are first level subdomains.

www.a.example.com is a second level subdomains which is not included in the certificate.

Thank you


To expand on what @stevenzhu said, the wildcard portion of the cert literally should translate into ANY - but not EVERY.

Let me explain it this way:
A fully qualified domain can be broken down into part; each part separated by a dot (or period).
The wildcard (“asterisk”) can assume any and every possible combination for any one of those fields (separted by dots/periods).
But the fields themselves can’t contain a dot/period - that would overlap onto another field.

So, as examples, to cover the following FQDNs with wildwards:

  1. special.name
  2. normal.average.site
  3. this.is.a.really.long.domain.name

You would need:

  1. can’t be covered with wildcard (*.name - not allowed) - use regular cert entry
  2. *.average.site
  3. *.is.a.really.long.domain.name

Also, you can only wildcard the leftmost field.
Or, in other words, you can’t put anything to the left of the wildcard in the request.
So, “anything.*.my.site” would be an invalid wildcard request - not allowed.

Hope that clears things up :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.