I've successfully set-up an SSL-certificate through the certbot with DNS-plugin. This works great and I have issued a certificate for example.com and *.example.com:
certbot certificates output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: example.com
Domains: example.com *.example.com
Expiry Date: 2022-02-28 11:09:56+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
So far so good, all domains seem to be secured correctly:
example.com = OK
test.example.com = OK
However, the issue starts for the domain test1.test.example.com. The browser keeps complaining about the fact that the domain is not secured..! I've already re-issued the SSL-certificate. This succeeds, but still the domain is marked as insecure.
Important to note, if I modify the Apache config for the domain to not redirect http (insecure) traffic to https (secure) traffic, I can access the site. This validates my apache set-up, which in fact is only 1 config file, allowing:
ServerName example.com
ServerAlias *.example.com
EDIT: Perhaps this helps. Safari tells me that the name of the certificate example.com does not match the input? Firefox returns SSL_ERROR_BAD_CERT_DOMAIN. So, I tried to update the domain to also allow *.*.example.com, but that's not allowed by certbot as it returns: Cannot issue for '*.*.example.com': Domain name has more than one wildcard
EDIT 2: The DNS-plugin generated a json-file that contains the auth-information to validate the domains. This file contains an entry fulldomain and subdomain, but the issue is with a two level 'sub-sub' domain? Perhaps this is the issue? How can I fix this, as the certbot plugin does not allow multi wildcard domains?
I've figured it out, it's not allowed to use a wildcard character before the first dot in the domain-name (at least not with the DNS-plugin I use).
Therefore, I successfully got it working adding the domain like: -d *.test.example.com
After issuing and overwriting the old certificate with the new one, this worked perfectly as expected.