Wildcard certificate

Hello,

I would like to know why we cannot use wildcard certificate for consul ?

fatal: [consul-itg-01]: FAILED! => {"changed": true, "cmd": ["consul", "acl", "policy", "create", "-name", "readonly", "-rules", "@/etc/consul/consul.policies/readonly.hcl"], "delta": "0:00:00.234673", "e
nd": "2019-11-21 16:51:54.001833", "msg": "non-zero return code", "rc": 1, "start": "2019-11-21 16:51:53.767160", "stderr": "Failed to create new policy: Put https://consul.service.infra.example.com:8501/v1/acl/policy: x509: certificate is valid for *.example.com, example.com, not consul.service.infra.example.com", "stderr_lines": ["Failed to create new policy: Put https://consul.service.infra.example.com:8501/v1/acl/policy: x509: certificate is valid for *.example.com, example.com, not consul.service.infra.example.com"], "stdout": "", "stdout_lines": []}

Regards,

Wildcard domains in a x509 certificate only support a single level of subdomain matching. That is, in your example of *.example.com, the certificate would validate foo.example.com and bar.example.com, but not foo.bar.example.com.

Regenerating that certificate with an added SAN of *.service.infra.example.com should enable the x509 certificate to be validated.