5

I've generated Lets Encrypt wildcard certificate for my domain *.domain.com.

I thought this certificate is valid for any nested subdomain *.*.domain.com, like it.*.domain.com or fr.*.domain.com. But browsers giving me error, that wildcard certificate was issued for domain.com, and not for *.domain.com. I've tried to issue new certificate for *.*.domain.com with CertBot and it's giving me error (multiple wildcards not allowed).

Is it possible to achieve this, or do I have to manually issue wildcard certificates for each 1st level subdomain?

Community
  • 1
Ilya Cherevkov
  • 163

1 Answers1

8

The CertBot error you're seeing is accurate - SSL certificates are only valid for one domain layer - for example *.domain.com or *.fr.domain.com or *.example.domain.com. More information - specifically the RFC quote - is in this SF answer.

If you need subdomains of subdomains, you will need to create wildcards for each individual subdomain.

Craig Watson
  • 9,670
  • 3
  • 33
  • 47
  • Thats unfortunate, so I need to generate 20 wildcard certificates :( – Ilya Cherevkov Apr 07 '20 at 14:45
  • 4
    I'd personally question the logic of your DNS structure - most implementations tend to use hyphens or URL-rewriting to separate locales for precisely this reason. For example: domain.com/uk or uk.domain.com or store-uk.domain.com. – Craig Watson Apr 07 '20 at 14:47
  • It depends on the site type. I found out that for content sites it makes sense to create numerous region-oriented subdomains like lang.theme_category.domain.com for better search engine indexing purposes. – Ilya Cherevkov Apr 21 '20 at 20:32
  • Because each combination is considered as different resource which affects indexing frequency. In contrast,domain.com/theme_category/lang/ is considered as one resource so you get less bot scans by the factor of langs * categories – Ilya Cherevkov Apr 21 '20 at 20:39
  • 1
    Each combination is not a separate site - source1 / source2. Using subdomains like this will harm SEO, not help it. A better strategy would be theme.domain.com/lang, or even better would be to use the correct localised domain - for example domain.fr or domain.de or domain.it if you have the commercial clout to do so. – Craig Watson Apr 21 '20 at 20:45
  • @CraigWatson My domain logic is I want to auto-generate domains like we.live.to.sk8.earth or sk8.or.die.on.sk8.earth. Wish there was a wildcard that allowed any level. The alternative is sk8-or-die-on.sk8.earth which is inconsistent and ugly. – trusktr Dec 03 '23 at 05:06
  • @trusktr If you're auto-generating domains, you can auto-generate certificates. Easy. Multi-level wildcards is fundamentally not possible due to the trust relationships which exist in all modern browsers and also how the wildcard character is parsed. – Craig Watson Dec 04 '23 at 11:01