2

My recent infrastructure had the following setup:

  • A domain on Route53 as example.com.
  • Several subdomains e.g. blog.example.com, dev.example.com etc.
  • A certificate on ACM with *.example.com as its entry.

Everything worked as expected, until I was required to add another domain, e.g. abc.dev.example.com. SSL doesn't work on this newly created subdomain.

My previous experience suggests creating a new certificate for this new subdomain, it has worked for me earlier as well. But it doesn't seem to be a best practice. Can I refresh/update my current certificate to accommodate the new subdomain?

amsh
  • 3,097
  • 2
  • 12
  • 26

1 Answers1

7

This is because wildcard SSL cert can only support one subdomain level. From docs:

When you request a wild card certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, *.example.com can protect login.example.com, and test.example.com, but it cannot protect test.login.example.com.

So in your case you need new certificate for *.dev.example.com.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Thanks for pointing me out in the right direction. I have created a domain with one subdomain level now. Unfortunately, when I open the URL it's still not secure. Do I need to refresh my certificate somehow to accommodate it as well? – amsh Nov 25 '20 at 08:59
  • 2
    @amsh No problem. You can't updated existing ssl cert to add a subdomain. You have to create new one. – Marcin Nov 25 '20 at 09:12