HTTPS security warning for sub subdomains [duplicate]

nginx ssl ssl-certificate wildcard-subdomain

I've got a wildcard SSL certificate for *.example.com.

I'm using Nginx, and redirecting all traffic for HTTP to HTTPS, and also rewriting the URLs to remove a www subdomain (if there is one).

So it has,

  1. http://subdomain.example.com ---> https://subdomain.example.com
  2. http://www.subdomain.example.com ---> https://subdomain.example.com
  3. https://www.subdomain.example.com ---> https://subdomain.example.com
  4. https://subdomain.example.com ---> https://subdomain.example.com

However, since my cert is for *.example.com, case 3 gets an SSL error in chrome ("This is probably not the site that you are looking for!"), but if you click through it gets redirected and all is well.

I understand why, since the initial connection is for HTTPS with a www (2 levels of subdomains), which doesn't match what is on the wildcard certificate.

I thought a solution would be to get an additional cert for *.*.example.com to cover www.*.example.com. But it seems like that won't work. I spoke to agents from Namecheap and Comodo, and both said *.*.example.com was not possible.

I also came across this article that states:

Will SSL work with multilevel wildcards?

With the distribution of Firefox 3.5, all major browsers allow only a single level of subdomain matching with certificate names that contain wildcards, in conformance with RFC 2818.

In other words the certificate *.mydomain.com will work for one.mydomain.com or two.mydomain.com but NOT one.two.mydomain.com.

Is there a solution to this? To be able to cover www.*.example.com?


Solution 1:

Wildcard certs only go one level deep. You will need to get a wildcard that also has subject-alternate names for all www.<subdomain>.example.com sites. This will allow the redirection to happen.

Any solution other than putting valid certs on the two-level-deep subdomains will not work, because the SSL handshake will always happen before any redirection or re-writing.

Solution 2:

Small workaround is to rewrite URLs before establishing SSL connection, but you will never get https://www.subdomain.mydomain.com working without a warning before you get certificate for this domain name. Something like that:

server {
 listen 111.222.333.444:80;
 server_name www.subdomain.mydomain.com;

 rewrite ^ https://$host$request_uri permanent;
}

server {
 listen 111.222.333.444:443
 server_name subdomain.mydomain.com
 ssl on;
 ...
}

Related

Horrible Windows Server 2003 performance while copying files through Netbios
Where are the SMTP settings saved in IIS7/Win2008?
Why is network stack ignoring icmp replies from non-default interface?
How to connect to a local SQL Server?
Where is the Redis module for PHP on CentOS 8 (php-pecl-redis)?
Application Load Balancer with AWS Elastic Beanstalk - Target Group
Linux journalctl not synced with systemctl status / Journalctl not updating
Forward VPN traffic to another server
What is a good SMTP server for testing email system on Windows [closed]
Manually assign a PCI card to an interrupt
VPN client doesn't have internet connection
What is lighttpd's version of "mod_substitute"?