SAN certificate and authorization domain error


#1

Hi,
i would like to create a SAN certificate for:

In the tab called “Authorization” i’m using two different authorization settings using “domain match” field:

  • dns01 for wildcard domain
  • http01 for the orthers

Now, when i open the “Preview” i see:

  • Authorization will be attempted using the dns-01 challenge type.
    The following matching domains will use this challenge:
    *[dot]example[dot]com
    and
  • Authorization will be attempted using the http-01 challenge type.
    The following matching domains will use this challenge:
    www[dot]site[dot]com
    www[dot]orthersite[dot]com

But, i press “Test” or “Request” I get this error:
“Wildcard domains cannot use http01 validation for domain authorization”

Why does it try to use http for wildcard if i selected dns?
Why does “Preview” says something different from “Test/Request”?
Is it a bug?

Thanks for help
Regards

Roberto


#2

Hi, sounds like a bug! I’ll add it to the list.

If you can, I’d split this into two managed certificates anyway as the requirements are quite different (they can both deploy to the same site if required).

Update: issue filed https://github.com/webprofusion/certify/issues/387


#3

they can both deploy to the same site if required

How? i’m using IIS 8.5


#4

Hi Lazazzera,

I’m in the same situation - you basically need two bindings on the same site:

If you’ve got a simple setup like www[dot]example[dot[com and example[dot]com and use a single IP address use SNI on each binding.

If (like me) you’ve got many URLs to a single site (mine are redirecting users elsewhere for a service we shutdown this year) and can’t use SNI you need to use two bindings with two IP addresses. i.e. 1.2.3.4 = *[dot]example[dot]com and 1.2.3.5 = example[dot]com

Then as Webprofusion says setup Certify with two managed certificates (one per binding).


#5

It’s also worth noting that the validation for multi-auth challenges ( where you perhaps mix http and DNS challegnes within one cert) has been updated in v4.0.12, fixing the original issue on this thread.


#6

Regarding static IPs, 4.0.12 has updated handling of static IP bindings (and blank hostname bindings) in general but I don’t know if the original issue as related to static IPs at all.

General advice: if you can avoid using static IP bindings (and use ‘all unassigned’, with SNI) then you should, unless there is a critical reason for having a static IP binding. It can get deeply confusing in windows due to the fact that one IP can only really be bound to one IP/Port/Cert combo (which is why we default to SNI). For a lot of users the last couple of years has been the first time they’ve really had to think about https much (perhaps just using it for one or two sites in the past). Sometime static IPs are being used because they used to be required on server 2008 etc.


#7

Hi @Webprofusion,

My reply wasn’t specifically about the use IP addresses but they asked “how? I’m using IIS8.5” so I was trying to answer the question which is by using multiple bindings on a single site with SNI.

I agree general advise is use “all unassigned” with SNI - but sometimes there are scenarios where you cant use SNI because it simply doesn’t accept a “asterisk” wildcard in the SNI name (and creating 100+bindings wasn’t practical).


#8

I confirm, the error has been fixed
thanks