-
1. Re: Wildcard certificate not matching
ctomc Jan 8, 2015 8:32 AM (in response to nickarls)you get that where? in browser? all browsers complain the same?
-
2. Re: Wildcard certificate not matching
nickarls Jan 8, 2015 8:39 AM (in response to ctomc)Yep, browser complains "The security certificate presented by this website was issued for a different website's address." Certificate status is OK in itself.
-
3. Re: Wildcard certificate not matching
ctomc Jan 8, 2015 8:45 AM (in response to nickarls)So this looks more like browser or certificate problem than anything else.
not sure how could server affect this given that you say that server presents looks correct.
Try different browser, as some older browsers don't like wildcard certs too much.
-
4. Re: Wildcard certificate not matching
nickarls Jan 8, 2015 8:53 AM (in response to ctomc)It's IE11 so it's not that old ;-)
OK, so the browser knows which domain the certificate covers
The DNS is correct because the server is reached
Mustn't the problem then be that the server identifies itself as something else than the request is for?
If I do a https://tar.bar.foo.com which returns the WF front page and the certificate is for *.foo.com, isn't the case that the server identifies it's "true" name, e.g "tar" instead of the
tar.bar.foo.com? How else could the browser determine that the server name and the certificate match? I was under the impression that the alias was a list for something like
"if I call you tar.bar.foo.com, return that in the reponse headers". Or am I missing some point here?
-
5. Re: Wildcard certificate not matching
jaikiran Jan 8, 2015 9:08 AM (in response to nickarls)Nicklas Karlsson wrote:
the certificate isfor *.foo.com and the DNS resolves the host to tar.bar.foo.com
This isn't expected to work as per the "Limitations" and "Examples" section here http://en.wikipedia.org/wiki/Wildcard_certificate
In the case of a wildcard certificate for *.example.com, these domains would be valid:
- payment.example.com
- contact.example.com
- login-secure.example.com
- www.example.com
Because the wildcard only covers one level of subdomains (the asterisk doesn't match full stops)[11], these domains would not be valid for the certificate:
- test.login.example.com
-
6. Re: Wildcard certificate not matching
ctomc Jan 8, 2015 9:15 AM (in response to nickarls)Server should always present itself with proper name.
for example see https://docs.jboss.org where certificate used is *.jboss.org and it works.
and server presents itself with docs.jboss.org.
maybe problem is with that you are using alias and https server is returning that as server name (didn't go check)
what if you try with <host name="tar.bar.foo.com" ...
-
7. Re: Wildcard certificate not matching
ctomc Jan 8, 2015 9:20 AM (in response to jaikiran)jaikiran pai wrote:
Nicklas Karlsson wrote:
the certificate isfor *.foo.com and the DNS resolves the host to tar.bar.foo.com
This isn't expected to work as per the "Limitations" and "Examples" section here http://en.wikipedia.org/wiki/Wildcard_certificate
In the case of a wildcard certificate for *.example.com, these domains would be valid:
- payment.example.com
- contact.example.com
- login-secure.example.com
- www.example.com
Because the wildcard only covers one level of subdomains (the asterisk doesn't match full stops)[11], these domains would not be valid for the certificate:
- test.login.example.com
Now I remembered that I saw this somewhere before
-
8. Re: Wildcard certificate not matching
nickarls Jan 9, 2015 2:53 AM (in response to jaikiran)Ah, that does sound like a natural explanation, thanks!