Wildcard SSL and Wildcard hostnames

Reinis Rozitis r at roze.lv
Mon May 11 14:57:04 UTC 2015

> http://example.co - works fine and as expected.
> http://blah.example.co - returns curl: (60) SSL certificate problem: 
> Invalid certificate chain

> This is actually picking up the SSL cert for the default site on the 
> server.
> So the server_name is picking up example.co but *.example.co seems to be 
> ignored.

So are there 2 certificates?
If so you need a different server block for each - one for the exact domain 
and one for the wildcard (or use the wildcard for both).

Besides server_name .example.co and server_name example.co, *.example.co are 
generally the same (the latter actually being recommended 
http://nginx.org/en/docs/http/server_names.html#optimization )

The only difference would be if you have multiple server {} definitions 
(with same domains) because nginx has an order of precedence in which it 
decides which virtual server will be chosen (regular expressions (which is 
also .example.co) will be last).

In general you should check (for example with 'openssl x509 -in 
/path/example.co.crt -noout -text | grep DNS') and see if your nginx 
server{} block configuration actually matches the certificates (and keys) 
you point to.

It makes a bit hard to guess not seing the whole config.

One note when testing with curl - on older systems the root certificates are 
not always updated and if the CA has _recently_ changed its intermediate 
certificates  (iirc for example GoDaddy) curl might report a problem.

Also be sure that the intermediate certificates are included in the 
certificate itself ( 
http://nginx.org/en/docs/http/configuring_https_servers.html#chains )

> we also need *.staging.example.co to work for our staging environment too 
> which
might kill two birds with one stone.

Standard wildcard certificate *.example.co covers also this, you don't need 
additional certificates.

p.s. A good/simple way imo (if the server has public access) to check for 
all kinds of issues/ssl chains etc is to use 
https://www.ssllabs.com/ssltest/ (check the "do not show" if you want hidden 


More information about the nginx mailing list