3

I've got a wildcard SSL certificate for *.example.com.

I'm using Nginx, and redirecting all traffic for HTTP to HTTPS, and also rewriting the URLs to remove a www subdomain (if there is one).

So it has,

  1. http://subdomain.example.com ---> https://subdomain.example.com
  2. http://www.subdomain.example.com ---> https://subdomain.example.com
  3. https://www.subdomain.example.com ---> https://subdomain.example.com
  4. https://subdomain.example.com ---> https://subdomain.example.com

However, since my cert is for *.example.com, case 3 gets an SSL error in chrome ("This is probably not the site that you are looking for!"), but if you click through it gets redirected and all is well.

I understand why, since the initial connection is for HTTPS with a www (2 levels of subdomains), which doesn't match what is on the wildcard certificate.

I thought a solution would be to get an additional cert for *.*.example.com to cover www.*.example.com. But it seems like that won't work. I spoke to agents from Namecheap and Comodo, and both said *.*.example.com was not possible.

I also came across this article that states:

Will SSL work with multilevel wildcards?

With the distribution of Firefox 3.5, all major browsers allow only a single level of subdomain matching with certificate names that contain wildcards, in conformance with RFC 2818.

In other words the certificate *.mydomain.com will work for one.mydomain.com or two.mydomain.com but NOT one.two.mydomain.com.

Is there a solution to this? To be able to cover www.*.example.com?

Community
  • 1
user173326
  • 33

3 Answers3

4

Wildcard certs only go one level deep. You will need to get a wildcard that also has subject-alternate names for all www.<subdomain>.example.com sites. This will allow the redirection to happen.

Any solution other than putting valid certs on the two-level-deep subdomains will not work, because the SSL handshake will always happen before any redirection or re-writing.

MDMarra
  • 101,323
1

Small workaround is to rewrite URLs before establishing SSL connection, but you will never get https://www.subdomain.mydomain.com working without a warning before you get certificate for this domain name. Something like that:

server {
 listen 111.222.333.444:80;
 server_name www.subdomain.mydomain.com;

 rewrite ^ https://$host$request_uri permanent;
}

server {
 listen 111.222.333.444:443
 server_name subdomain.mydomain.com
 ssl on;
 ...
}
StamPit
  • 26
-1

The problem is how wildcard certs work. They only work on first-level subdomains as you're seeing. To work around this, you'd want to use a PTR record to point www.subdomain.domain.com to subdomain.domain.com and it should be invisible to the server.

Nathan C
  • 15,223