0

I have a wildcard certificate but the browser does not like the ssl version with www in front. How can I get this fixed? I have tried to forward to the non www version without any resolution.

the url is https://www.a.hunchbuzz.com/

The certificate warning says:

 Certificate does not match name www.a.hunchbuzz.com
Subject *.hunchbuzz.com
Valid from 27/Jul/2013 to 30/Jul/2014
Issuer  RapidSSL CA
steve0nz
  • 906
  • 5
  • 16
  • 35
  • 1
    "I have tried to forward to the non www version" - as you've discovered, the certificate name check happens before you get as far as HTTP to do the redirect. Unless there's a definitive RFC on the rules for wildcard certs, I think your best bet would be to talk to RapidSSL to see if they've got a solution for you. – Rup Sep 17 '13 at 22:06
  • 3
    Turns out there is: it's [RFC 6125](http://tools.ietf.org/html/rfc6125#section-6.4.3). It says that wildcards can match one part only, and the security notes section says that if you had a second name `www.*.hunchbuzz.com` on the same cert that shouldn't be matched too. Hat-tip to the comment on [this old answer](http://stackoverflow.com/a/5295703/). – Rup Sep 17 '13 at 22:10
  • Rup is correct although not every client implements the new RFC. Some libraries still use RFC 2818 wildcard matching rules. All modern browsers use RFC 6125, though. You have to get a new cert with the subjectAltName fields DNS:*.hunchbuzz.com and DNS:*.a.hunchbuzz.com. – Christian Heimes Sep 17 '13 at 22:26
  • Would a *.*domain.com cert work? Is this possible? We have a few subdomains – steve0nz Sep 17 '13 at 22:46
  • No, it wouldn't (or shouldn't) work. Read the section of the RFC posted by @Rup (he's even put the right fragment in the link), point 1. – Bruno Sep 17 '13 at 23:10

0 Answers0