Is the certificate valid for the url dev.user.svc.databaker.io

Question

I am planing to create a certificate for the domain *.svc.databaker.io and a web service, that will have the DNS name dev.user.svc.databaker.io.

The question is, will the certificate *.svc.databaker.io valid for dev.user.svc.databaker.io

Update

Assume I am going to create a certificate for DNS Zones as descripts on https://cert-manager.io/docs/configuration/acme/#dns-zones. For instance,

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    ...
    solvers:
    - dns01:
        cloudflare:
          email: user@example.com
          apiKeySecretRef:
            name: cloudflare-apikey-secret
            key: apikey
      selector:
        dnsZones:
        - 'databaker.io'

Will the certificate be valid also for user.dev.svc.databaker.io?

Dupe https://stackoverflow.com/questions/32510641/wildcard-certificate-does-not-work-for-sub-domain and more linked there — dave_thompson_085, Sep 23 '20 at 10:41

score 2 · Accepted Answer · edited Oct 07 '21 at 08:58

2

No, wildcards only match one label, see RFC 6125 for details, specifically:

 2.  If the wildcard character is the only character of the left-most
       label in the presented identifier, the client SHOULD NOT compare
       against anything but the left-most label of the reference
       identifier (e.g., *.example.com would match foo.example.com but
       not bar.foo.example.com or example.com).

Their example of how not to match exactly covers your use case.

A certificate with CN or SAN *.svc.databaker.io will not match dev.user.svc.databaker.io.

edited Oct 07 '21 at 08:58

Community

1
1

answered Sep 23 '20 at 10:34

Marc

19,394
6
47
51

It doesn't matter how you create the certificate, it still won't match more than one label (aka: subdomain). – Marc Sep 23 '20 at 10:54

Is the certificate valid for the url dev.user.svc.databaker.io

1 Answers1

Linked