20

I created a SSL certificate for my site using Amazon Certificate Manager. The certificate is for *.example.com. I have then attached this certificate to my ELB and have left the instance protocol as http. So SSL chain is only between the client and ELB. I have two A records in Route53. One for example.com one for www.example.com. Both of these are aliased to ELB. When I do https://www.example.com it works perfect. But when I do https://example.com I get the following error in FireFox:

"example.com uses an invalid security certificate. The certificate is only valid for *.example.com Error code: SSL_ERROR_BAD_CERT_DOMAIN"

Shouldn't the certificate *.example.com work for the address example.com? Am I missing something?

EDIT May 31, 2016

Thank you to Steffen Ullrich for setting me on the right track. The problem is when using the AWS Certificate Manager (ACM) in the console (web browser) there is no option to add the alternative names. For those having the same problem you need to use CLI (command line interface). A quick web search for "Install AWS CLI" will give you all the information you need to complete the installation. Once CLI is installed then you can run the ACM commands. Here is a link to the documentation:

http://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html

The command I used was:

aws acm request-certificate --domain-name www.example.com --subject-alternative-names example.com

Once the request was approved I was able to see the SSL certificate in the ACM web interface. I installed it and everything working like a charm now!

John
  • 483
  • 1
  • 5
  • 11
  • Now this can be done in console itself. Use "Add another name to this certificate" option when requesting for new certificate. – Krishnendu Oct 24 '18 at 10:13

2 Answers2

37

A certificate for *.example.com matches whatever.example.com but not example.com only. This is because the * must match a label and example.com has no label in place of the *. If you want to match both whatever.example.com and example.com you need to create a certificate which has as subject alternative names both *.example.com and example.com.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • I have certificate with domain name as *.tilt45.in and Additional names as tilt45.in and www.tilt45.in. When i try to access tilt45.in or www.tilt45.in then i dont root->index.html but when i use api.tilt45.in then i can reach index.html. I have A record for api.tilt45.in. When I try to create similar record for tilt45.in, I get error message that record already exist. – Darshan Puranik Mar 23 '17 at 11:44
  • @DarshanPuranik: comments are not intended for asking new questions. Please ask a new question with all necessary details instead and where all can see it. – Steffen Ullrich Mar 23 '17 at 12:51
  • @SteffenUllrich hi, sorry for bumping this 2 years later. I provision an SSL cert using `example.com` and `*.example.com`. This works for my subdomains and previously always worked for `www.subdomain.example.com` if I set that up in Route53. Recently our SSL certs no longer work for the `www.subdomain` even when set up like we always have. Do you know if anything's changed in regards to that on AWS' side? We must've set up 30 or so projects in Route53/cloudfront with ACM SSL cert and have never had this issue. – Stephen Tetreault Oct 01 '18 at 15:15
  • 2
    @StephenTetreault: The behavior I describe has nothing to do specifically with Route 53 but is how certificates get validated in general. I don't know what Route 53 or you did when you previously setup a domain but a certificate for `*.example.com` will not match `www.subdomain.example.com` not did it do that in the past. You would need a certificate for `*.subdomain.example.com` for that. – Steffen Ullrich Oct 01 '18 at 15:30
7

When requesting a new certificate via the console, you can now add both *.domain.com and www.domain.com, before hitting next, in the next box, make sure you request to add another domain to the certificate.

user2867432
  • 382
  • 4
  • 14