Transitioning to Let’s Encrypt wildcard certificates

A month ago I issued a wildcard certificate for * and patiently awaited the expiration of my old HPKP policy. Eventually the time to install the new key and certificate arrived, but to my great dismay, things did not turn out according to plan. Upon restarting the Apache web server, I got served with the following (epic) failure:

AH01909: server certificate does NOT include an ID which matches the server name

What I had failed to take into account was that the fact that a wildcard certificate for * would not cover additional levels of subdomains. In short, and will both match *, but on the other hand, well not so much.

I would really like to get rid of the moronic multi-level subdomain so if you happen to be one of my RSS subscribers and are reading this, then please consider pointing your reader to instead.

Anyhow, I decided I needed to issue a new wildcard certificate covering two levels of subdomains. In my case, that would mean * and *

Thankfully the awesome script allowed me to achieve this (without reconfiguration) using the following oneliner: --issue -d -d '*' -d '*' --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

After adding the needed DNS records to complete the challenge, it was simply a matter of issuing the following command to retrieve my new certificate: --renew -d --force –yes-I-know-dns-manual-mode-enough-go-ahead-please
Issuing a multi-level wildcard certificate using
Issuing a multi-level subdomain wildcard certificate from Let’s Encrypt using To quote Meat Loaf: two out of three ain’t bad /O\

After this little detour, I could finally install my brand new multi-level subdomain wildcard certificate. - Multilevel wildcard certificate

Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed or find me on Keybase.

Related posts