search

icing / mod_md

Let's Encrypt (ACME) in Apache httpd
https://icing.github.io/mod_md/
Apache License 2.0
334 stars 28 forks source link

Wildcard certificate not working with multi-level subdomains #299

Closed tbjornli closed 1 year ago

tbjornli commented 1 year ago

Pre v2.4.0

Up until v2.4.0, in order to secure more than one sub-domain I needed to include them all in the MDomain directive, like this:

# domain.tld.conf
<MDomain domain.tld sub1.domain.tld sub2.domain.tld sub4.domain.tld>
  MDMember *.domain.tld
  MDCAChallenges dns-01
  #MDChallengeDns01 /usr/local/sbin/dns-challenge --
</MDomain>                           
MDCertificateAgreement accepted
MDRequireHttps permanent

However, this did not work for multi-level so for these specific vhosts I needed this config:

# multi-level.sub1.domain.tld.conf
MDomain multi-level.sub1.domain.tld
MDCertificateAgreement accepted
MDRequireHttps permanent

Post v2.4.0

Now that I am using Apache 2.4.52 which include mod_md v2.4.8 from what I can see, I can reduce the first bit of the configuration to this

# domain.tld.conf
MDomain domain.tld *.domain.tld
MDCAChallenges dns-01
MDChallengeDns01 /usr/local/sbin/dns-challenge --
MDCertificateAgreement accepted
MDRequireHttps permanent

Problem

However this wildcard configuration does not seem to cover multi-level subdomains like multi-level.sub1.domain.tld and I am still required to keep the configuration multi-level.sub1.domain.tld.conf (as above).

If I remove this configuration I see the following error message in the multi-level.sub1.domain.tld.log file 

AH02572: Failed to configure at least one certificate and key for multi-level.sub1.domain.tld:443
SSL Library Error: error:0480006C:PEM routines::no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificat
eKeyFile?
SSL Library Error: error:0480006C:PEM routines::no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificat
eKeyFile?
SSL Library Error: error:0A0000B1:SSL routines::no certificate assigned

It seems strange to me that one should need the extra configuration for multi-level subdomains which should be covered by the wildcard certificate.

Any idea why this is not working? Is it not supported, did I stumble upon a bug or am I doing something wrong?

whereisaaron commented 1 year ago

Hi! It is the expected behaviour of TLS certificates that '' only matches a single level. So a certificate issued for `.example.comwill matchname1.example.combut will not work forname1.sub1.example.com. This is a TLS limitation not something related tomod_md`

https://en.wikipedia.org/wiki/Wildcard_certificate#Example

icing commented 1 year ago

As @whereisaaron said. *.domain.com only works on the first level. No browser will recognize a cert like *.*.domain.com. It is explicitly prohibited to do so by the standards. Nor is CA like Lets Encrypt or others allowed to do so.

tbjornli commented 1 year ago

Oh, I was actually not aware of that this is a limitation in TLS.

Thank you!