site with wildcard cert on subsubdomain problem setting ssl domain (SSL_ERROR_BAD_CERT_DOMAIN)

Discussion in 'Installation/Configuration' started by degoya, Jun 15, 2016.

  1. degoya

    degoya New Member

    i have a existing site named

    Code:
    de.customer.mydomain.tld
    and i got a existing wildcard cert for

    Code:
    *.mydomain.tld
    When i enable the SSL for the site and enter my Datas, Key & Cert i can only got the following options for "ssl domain" value

    Code:
    de.customer.mydomain.tld
www.de.customer.mydomain.tld
*.de.customer.mydomain.tld
    but it's not possible to set the value to the needed *.mydomain.tld to make the wildcard cert work.

    if i use the available options i get the error SSL_ERROR_BAD_CERT_DOMAIN when requesting the site.
    using the wildcard cert with a regular subdomain works without any problems.
    is there any workaround to get this running?
     
    Last edited: Jun 15, 2016
    degoya, Jun 15, 2016
    #1
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I think the workaround would be to get a wildcard cert for *.customer.mydomain.tld.
     
    Jesse Norell, Jun 16, 2016
    #2
  3. degoya

    degoya New Member

    getting a new wildcard cert for *.customer.mydomain.tld. is not a really good workaround :D
     
    degoya, Jun 16, 2016
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The values there do not matter for your cert, they are only used for creatng new certs. Just enter the cert and key and select save certificate as action.
     
    till, Jun 16, 2016
    #4
  5. degoya

    degoya New Member

    Thats what i did, then i get the SSL_ERROR_BAD_CERT_DOMAIN. as far as i know the wildcard cert covers any depth of subdomains.
     
    degoya, Jun 16, 2016
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Talk with the SSL authority that issued the cert.
     
    till, Jun 16, 2016
    #6
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I believe that's incorrect, to match de.customer.mydomain.tld you could use either *.customer.mydomain.tld or *.*.mydomain.tld, but *.mydomain.tld does not match. You could try to get a single cert with SAN names to cover mydomain.tld, *.mydomain.tld and *.*.mydomain.tld, which should work in theory, but it sounds like you can have issues in the client implementation (I've never tried it).

    What if you install letsencrypt, and just get a separate certificate for each site?
     
    Jesse Norell, Jun 16, 2016
    #7

Share This Page