4

I'm running a server under example.com domain and I have sub-domains like:

  • a.example.com
  • b.example.com

I'm creating certificate from Let's Encrypt with zerossl online tools and I have an issue. When I generate the certificate using wildcards as *.example.com and apply it on the server all the sub-domains are good and the root-domain with www. prefix is good too.

The Only glitch is about https://example.com since it isn't included in the wildcard pattern (*.example.com).

In some other posts like this there are suggestions to use *.example.com/CN=mexample.com but the zerossl online tools doesn't support "/" character in it's web page.

Is there any workaround to pass this issue?

STaefi
  • 143
  • 1
  • 8
  • What did they say when you contacted them? – Michael Hampton Nov 02 '18 at 15:02
  • You need to add both values for the TXT record at the same time. It's just like having multiple A records pointing to different IPs for the same name. – Ryan Bolger Nov 02 '18 at 17:23
  • @RyanBolger: I've done the same as https://zerossl.com/usage.html#Wildcard_certificates_support says, but when I lookup using `nslookup -q=TXT _acme-challenge.example.com` it only returns one of the values, also the verification process is verifying one of them and the other fails. – STaefi Nov 02 '18 at 17:43
  • If you're only getting one result, you shouldn't bother trying to verify because it will definitely fail. Figure out what is going wrong adding both records first. Don't verify until you can personally query both values. We can't help much with this unless you provide more info about your DNS provider or your actual domain names. – Ryan Bolger Nov 02 '18 at 19:32

1 Answers1

6

You need to use SAN and create a certificate that’s good for both *.example.com and example.com. There’s help on doing so here. See also the zerossl FAQ, which says:

If you want a so-called "naked" domain ("domain.ext") covered along with the wildcard ("*.domain.ext"), then put both those names into appropriate field, separated with a space or a comma

Mike Scott
  • 7,993
  • 31
  • 26
  • Thanks @Mike Scott for the early response. I've tested what's in the zerossl FAQ and had no luck. Please see my update. – STaefi Nov 02 '18 at 14:47
  • The FAQ says it should work: “Note: on the verification screen you will see that the same DNS text records should be created with two different values - this is normal and this is how you should create them.”. So I’d raise a support ticket with zerossl. – Mike Scott Nov 02 '18 at 16:38