Transitioning to Let's Encrypt wildcard certificates

A month ago I issued a wildcard certificate for * and patiently awaited the expiration of my old HPKP policy. Eventually the time to install the new key and certificate arrived, but to my great dismay, things did not turn out according to plan. Upon restarting the Apache web server, I got served with the following (epic) failure:

AH01909: server certificate does NOT include an ID which matches the server name

What I had failed to take into account was that the fact that a wildcard certificate for * would not cover additional levels of subdomains. In short, and will both match *, but on the other hand, well not so much.

I would really like to get rid of the moronic multi-level subdomain so if you happen to be one of my RSS subscribers and are reading this, then please consider pointing your reader to instead.

Anyhow, I decided I needed to issue a new wildcard certificate covering two levels of subdomains. In my case, that would mean * and *

Thankfully the awesome script allowed me to achieve this (without reconfiguration) using the following oneliner: --issue -d -d '*' -d '*' --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

After adding the needed DNS records to complete the challenge, it was simply a matter of issuing the following command to retrieve my new certificate: --renew -d --force –yes-I-know-dns-manual-mode-enough-go-ahead-please
Issuing a multi-level wildcard certificate using

Issuing a multi-level subdomain wildcard certificate from Let’s Encrypt using

After this little detour, I could finally install my brand new multi-level subdomain wildcard certificate. - Multilevel wildcard certificate

Issuing a multi-level subdomain wildcard certificate from Let’s Encrypt.

Roger Comply avatar
Roger Comply
Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed.