site with wildcard cert on subsubdomain problem setting ssl domain (SSL_ERROR_BAD_CERT_DOMAIN)

Discussion in 'Installation/Configuration' started by degoya, Jun 15, 2016.

  1. degoya

    degoya New Member

    i have a existing site named

    Code:
    de.customer.mydomain.tld
    and i got a existing wildcard cert for

    Code:
    *.mydomain.tld
    When i enable the SSL for the site and enter my Datas, Key & Cert i can only got the following options for "ssl domain" value

    Code:
    de.customer.mydomain.tld
    www.de.customer.mydomain.tld
    *.de.customer.mydomain.tld
    but it's not possible to set the value to the needed *.mydomain.tld to make the wildcard cert work.

    if i use the available options i get the error SSL_ERROR_BAD_CERT_DOMAIN when requesting the site.
    using the wildcard cert with a regular subdomain works without any problems.
    is there any workaround to get this running?
     
    Last edited: Jun 15, 2016
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I think the workaround would be to get a wildcard cert for *.customer.mydomain.tld.
     
  3. degoya

    degoya New Member

    getting a new wildcard cert for *.customer.mydomain.tld. is not a really good workaround :D
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The values there do not matter for your cert, they are only used for creatng new certs. Just enter the cert and key and select save certificate as action.
     
  5. degoya

    degoya New Member

    Thats what i did, then i get the SSL_ERROR_BAD_CERT_DOMAIN. as far as i know the wildcard cert covers any depth of subdomains.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Talk with the SSL authority that issued the cert.
     
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I believe that's incorrect, to match de.customer.mydomain.tld you could use either *.customer.mydomain.tld or *.*.mydomain.tld, but *.mydomain.tld does not match. You could try to get a single cert with SAN names to cover mydomain.tld, *.mydomain.tld and *.*.mydomain.tld, which should work in theory, but it sounds like you can have issues in the client implementation (I've never tried it).

    What if you install letsencrypt, and just get a separate certificate for each site?
     

Share This Page