Do browsers trust wildcard SSL certificates?

Question

I've set up a development server where I need to test a large number of LAMP sites. Their domain names are in a format such as:

https://webapp1.test.example.com
https://anotherwebapp.test.example.com
https://anotherclientssite.test.example.com

I want to get SSL certificates for them. Since getting a certificate for each of them is a hassle, I decided to use Let's Encrypt and certbot to get a wildcard SSL certificate for *.example.com...

...but now, after installing the certificates, I still can't get the browsers to trust them; they still display a warning about how the certificate can't be trusted. In Firefox's case, the error is "SSL_ERROR_BAD_CERT_DOMAIN", and it says that "This certificate is not valid for webapp1.test.example.com. The certificate is valid only for the following domains: *.example.com, example.com".

The command I used to generate the certificate was:

certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '*.example.com' -d example.com

How can I generate a wildcard certificate that is trusted by default by all browsers?

Answer 1

Yes, but wildcards don't quite work like that. *.example.com will match foo.example.com and bar.example.com but not foo.bar.example.com.

Because multiple wildcards aren't allowed, you can't work around this by using *.*.example.com. You can, however, add *.test.example.com, along with any other subdomains you're testing, i.e.:

certbot certonly ... -d '*.test.example.com' -d '*.example.com' -d example.com