25

I have a server https://www.groups.example.com - in FireFox I get the "This Connection is Untrusted" message and the "technical details" say

www.groups.example.com uses an invalid security certificate. 
The certificate is only valid for the following names: 
*.example.com, example.com (Error code: ssl_error_bad_cert_domain)

What other info do I need to provide in order to resolve this? Just getting confirmation of setup but am 99% sure it's Linux and using VHOSTS. Will update question as soon as this is confirmed.

Is it the fact that www.groups.example.com is seen as having 2 levels of subdomains?

The issuer is DigiCert

Charles
  • 1,214
  • 2
  • 13
  • 22
pee2pee
  • 369
  • 1
  • 5
  • 12
  • 2
    I'm sure it's the two levels of subdomain that are the problem, and I'm fairly sure this is a duplicate question - but I can't put my hand on the original question at the moment. – MadHatter Nov 18 '14 at 14:51
  • You can't use a subdomain of the wildcard part and have a match. You would need to use SANs. Furthermore, `mydomain.com` is not the same thing as `example.org`. – gparent Nov 18 '14 at 14:52
  • 2
    @gparent It's usually a good idea to look at the edit history of a question when you see a mismatch like that. In this case, I was the one who'd missed one instance of `mydomain.com` when I was fixing the post. (When munging domain names, one should **always** use `example.[com|org|net]` rather than making up something like `mydomain.com` which actually exists but does not belong to the poster.) – Jenny D Nov 18 '14 at 14:55
  • @MadHatter I didn't find the duplicate either, but I did find one at [so]. But since we don't mark duplicates across sites, I answered anyway. – Jenny D Nov 18 '14 at 14:56
  • I did look at the history, actually. But really people should just not mess around with domain names as it makes diagnostic much harder than it should (especially with things like SSL certs where the real name matters). – gparent Nov 18 '14 at 14:57
  • 1
    @JennyD: +1 from me! Another, if I could, for the point about munging domain names (but better yet is not to redact them at all). – MadHatter Nov 18 '14 at 14:57
  • 1
    @gparent I most definitely agree that people shouldn't munge their domain name in the first place. But if they do, they should at least do it correctly. – Jenny D Nov 18 '14 at 14:58
  • Yep, I use `example.org` and the RFC assigned IP ranges for documentation whenever appropriate, it makes it much more obvious. – gparent Nov 18 '14 at 14:59
  • This seems to be a problem that is not easy to solve, as one can see on all the SE sub metas (e.g. https://meta.electronics.stackexchange.com/) – PlasmaHH Nov 19 '14 at 11:02

1 Answers1

53

RFC 2818 in "3.1. Server Identity" states that

Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com.

So yes, it's the fact that it's two levels of subdomains that is the problem.

Jenny D
  • 27,780
  • 21
  • 75
  • 114
  • 19
    Does anyone else find it amusing that RFC2818 ignores [RFC2606](https://www.rfc-editor.org/rfc/rfc2606.txt) when choosing an example domain name? – MadHatter Nov 18 '14 at 22:06
  • Also interesting that while RFC2818 is *informational*, the *proposed standard* RFC7230 refers to it as a definition. – Esa Jokinen May 02 '18 at 16:42