HTTPS and trailing dot in domain

Is it possible to solve the scenario where a web server is served behind HTTPS, and must be accessible both with www.domain.com and www.domain.com.? And notice the trailing dot.

An example for all: GitHub

The certificate of course is for github.com not for github.com.. Is this problem somehow solvable? Am I completely misunderstanding the DNS architecture?


Unless you have a cert with a Common Name or Subject Alternative Name (sometimes called a UCC certificate) that matches the hostname exactly as it is typed, the browser will report a name mismatch.

Most (all?) browsers appear to do this. See Bug 134402 - URLs with trailing dots in host names (FQDN) produce cert name mismatches for a discussion of Mozilla's position on this issue. From thier perspective, there's just not enough upside to making such a change, since there are so few, if any, reasons a trailing dot should be included in a URL.

Basically browser vendors, as well as anyone else producing a product that verifies certificates, have to be conservative in any case where they are matching hostnames to certs. Making assumptions as to what the user intended is generally considered "bad". If you are not careful, you can end up in a situation where a hostname in a non-specific url (ex. https://www) is matched to a cert for https://www.<a_domain_in_your_suffix_search_list>, where that resultant domain is not controlled by the same entity as the originally typed name. This is one exception to my rule for always using a trailing dot in FQDNs. The trailing dot is generally a good idea as it is unambiguous and requires fewer queries to resolve, but not all applications deal with it gracefully.

Good catch though, you are WAY ahead of most people in terms of your understanding of "how DNS/SSL/browsers work".