2

I've generated Lets Encrypt wildcard certificate for my domain *.domain.com.

I thought this certificate is valid for any nested subdomain *.*.domain.com, like it.*.domain.com or fr.*.domain.com. But browsers giving me error, that wildcard certificate was issued for domain.com, and not for *.domain.com. I've tried to issue new certificate for *.*.domain.com with CertBot and it's giving me error (multiple wildcards not allowed).

Is it possible to achieve this, or do I have to manually issue wildcard certificates for each 1st level subdomain?

Community
  • 1
Ilya Cherevkov
  • 123
  • 1
  • 1
  • 7

1 Answers1

6

The CertBot error you're seeing is accurate - SSL certificates are only valid for one domain layer - for example *.domain.com or *.fr.domain.com or *.example.domain.com. More information - specifically the RFC quote - is in this SF answer.

If you need subdomains of subdomains, you will need to create wildcards for each individual subdomain.

Craig Watson
  • 9,370
  • 3
  • 30
  • 46
  • Thats unfortunate, so I need to generate 20 wildcard certificates :( – Ilya Cherevkov Apr 07 '20 at 14:45
  • 4
    I'd personally question the logic of your DNS structure - most implementations tend to use hyphens or URL-rewriting to separate locales for precisely this reason. For example: `domain.com/uk` or `uk.domain.com` or `store-uk.domain.com`. – Craig Watson Apr 07 '20 at 14:47
  • It depends on the site type. I found out that for content sites it makes sense to create numerous region-oriented subdomains like lang.theme_category.domain.com for better search engine indexing purposes. – Ilya Cherevkov Apr 21 '20 at 20:32
  • Because each combination is considered as different resource which affects indexing frequency. In contrast,`domain.com/theme_category/lang/` is considered as one resource so you get less bot scans by the factor of langs * categories – Ilya Cherevkov Apr 21 '20 at 20:39
  • Each combination is not a separate site - [source1](https://www.pi-datametrics.com/identify-seo-sub-domain-conflict-cannibalisation/) / [source2](https://www.searchenginejournal.com/subdomains-vs-subfolders-seo/239795/). Using subdomains like this will harm SEO, not help it. A better strategy would be `theme.domain.com/lang`, or even better would be to use the correct localised domain - for example `domain.fr` or `domain.de` or `domain.it` if you have the commercial clout to do so. – Craig Watson Apr 21 '20 at 20:45