LetsEncrypt Subdomain wildcard?

cclass · August 10, 2016, 6:15pm

I might be phrasing this question wrong but does LetsEncrypt create a subdomain wildcard SSL certificate?

What I mean is, does the SSL created for subdomain1.example.com also get applied to any sub subdomains – subdomain2.subdomain1.example.com? If so, is there anyway to prevent this?

I’ve got a site on a subdomain on one server, and a sub subdomain that is pointed to a site on another server (different IP address). When visiting subdomain2.subdomain1.example.com, Chrome blocks the site because the SSL is invalid. If i add the sub subdomain to site_hosts, provisioning fails because that sub subdomain’s IP does not point to the same server.

Thanks

swalkinshaw · August 10, 2016, 6:18pm

LE supports “SAN” certificates where you need to specify every domain. There’s no wildcards.

So Trellis (as of current version) automatically adds every host you specify in the certificate which also means it needs to verify each one requiring a valid DNS record.

There’s no way around this right way as it’s generally a good thing to have HTTPS on every domain your site is on.

cclass · August 17, 2016, 12:18pm

Thanks for the reply

I’m using trellis for a single site on a subdomain – e.g. production.site.com – with LE SSL.

For the staging site, on a different server, I’m using the domain staging.production.site.com. When I visit http://staging.production.site.com, a redirect occurs to https://staging.production.site.com but as that URL isn’t setup with an SSL, the browser says it is unable to connect to the site. I can, however, go directly to WP Admin in Firefox at http://staging.production.site.com without any problems.

Have I misconfigured something or is this because of the SSL on production.site.com and is therefore expected? If so, is resolvable?

Thanks

Chris

swalkinshaw · August 18, 2016, 12:34am

Looks like that’s HSTS in action.

You’ll need to set nginx_hsts_include_subdomains: false in group_vars/all/main.yml.

It’s generally better security to set it which is why its our default. Why not just enable SSL though?

cclass · August 18, 2016, 11:04am

When I try to enable SSL on the staging site (staging.production.site.com) provisioning fails during the Test Acme Challenges task with the error ‘Make sure that a valid DNS record exists for…and that they point to this server’. I assumed that this was because production.site.com is on a different server to staging.production.site.com

MWDelaney · August 21, 2016, 1:38pm

Does an A record exist in your domain’s public DNS for staging.production.site.com? That’s what LE is complaining about here.

cclass · August 22, 2016, 9:27am

Yeah, there is a DNS record for that domain and I’m able to access it fine as I mentioned.

Could it be due to my DNS setup? production.site.com is pointed to DigitalOcean’s nameservers while site.com is just using the nameservers of the original registrar.

On DigitalOcean, I’ve created the A record for staging.production.site.com and pointed it to another DigitalOcean server.

cclass · August 31, 2016, 12:02pm

thanks, this did the trick. was my last resort after i couldn’t get SSL working on the sub, sub domain (which was pointing to a different server).