Can't get a double wildcard SSL cert

munali · September 9, 2020, 8:03pm

Hello,

Our consul-domain is “cool.com” and we have a service “sometool”, and we have “dev/staging/prod” environments where the service an be deployed. I wanted to use Consul tags for the different environments. Thus the service could be found using the following names:

dev.sometool.service.cool.com
staging.sometool.service.cool.com
prod.sometool.service.cool.com

The issue is we get our certificates issued from CA, and we currently use one certificate for all services, thus we would need a double wildcard cert:
*.*.service.cool.com

Unfortunately, this is not supported by the CA.

Is there any workaround to this? Can the tag come second?

For e.g. sometool.dev.service.cool.com

Then we could have one certificate *.dev.service.cool.com and that would work across all our services.

number5 · September 15, 2020, 2:53am

Wildcard certificates only support one level of subdomain, e.g. *.cool.com but not *.*.cool.com https://en.wikipedia.org/wiki/Wildcard_certificate

munali · September 16, 2020, 1:38am

@number5 - you are right, they aren’t supported as I found out…and I should have check wikipedia.

I am wondering if the TAG part can be made to come second:
sometool.dev.service.cool.com
Then I can get a wildcard for: *.dev.service.cool.com.

Instead of what it is now, which is:
dev.sometool.service.cool.com