Wildcard certificate not used for root domain name

I need to set up a DNS wildcard for Let’s Encrypt because my domain does not point directly to me, it goes through Cloudflare. I’ve messed with Caddy for a few hours and finally got Wildcards to work mostly, but there’s a problem with my root domain’s HTTPS. All subdomains now work with the below configurations, but the root domain (website.org) does not.

Again, all subdomains work but website.org returns:
ERR_SSL_PROTOCOL_ERROR

If I use…

www.website.org,
website.org {

Then I receive…

Caddyfile:5 - Error during parsing: Cannot convert domain name 'website.org' to a valid wildcard: too few labels

and I can’t have website.org in its own block as that generates its own certificate, which fails because I need to use DNS!

And to summary, I’m receiving my wildcard certificate successfully and all subdomains appear to work but the root domain does not. It will redirect to HTTPS but then throw the above error.

So, how can I secure the root of my website with a wildcard certificate?

caddyfile:

(wildcard_cert) {
  tls {
    dns cloudflare
	wildcard
  }
}

www.website.org {
	root website
	log logs/access.log
	
	import wildcard_cert
	}
}

plex.website.org {
	root websiteplex
	log logs/plex.access.log
	
	import wildcard_cert
}

vault.website.org {
	root websitevault
	log logs/bitwarden.access.log
	
	import wildcard_cert
}

cloud.website.org {
	root websitecloud
	log logs/cloud.access.log
	
	import wildcard_cert
}

Hi @LostSoulfly, welcome to the Caddy community.

You’re out of luck for securing the bare domain with a wildcard certificate, I’m afraid. When Caddy grabs the wildcard cert from LetsEncrypt, it comes with *.example.com written on it, which doesn’t strictly match example.com.

To serve your website on the bare domain, you’ll need to have it in its own site definition block that doesn’t include wildcard.

You might be mistaken here. You can have a DNS-validated certificate without a wildcard. Just use a tls directive identical to the one in your wildcard_cert snippet, but remove the wildcard subdirective. It’ll get a single-domain cert validated by DNS like the wildcard cert is.


P.S. Obviously having the bare domain and the www subdomain in separate site definitions, when you want them to be serving the exact same content, isn’t the most ergonomic…

I think you’d see some traction if you were to open an issue at the Github repo (here: https://github.com/mholt/caddy/issues), fill out a Feature Request, and ask for the capability serve example.com and www.example.com from the same site definition with a wildcard cert. It’s a corner case that’ll probably need some custom handling, but I think it’s more than reasonable of a use case that it should really just work instead of having to split up the labels or running into the problem you have here.

3 Likes

Just to clarify - you should be able use a wildcard cert for a root domain too, but you have to request the certificate with a SAN of example.com for *.example.com.

I say should as I’m not using the root domain for anything atm, and thus don’t have it defined in my wildcards, but there shouldn’t be any issues.

Another solution @LostSoulfly, is to serv a redirect on your root domain port 80 (non-ssl) that just redirects to https://www.example.com - fairly clean, user friendly, and not too unexpected or out of user comfort, since they are familiar with the www subdomain anyway.

Thanks guys. I opted for the below config as I’m not a fan of using www subdomain. I’ll just live with having the two certificates :wink:

(wildcard_cert) {
  tls {
    dns cloudflare
	wildcard
  }
}

(root_cert) {
  tls {
    dns cloudflare
  }
}

website.org {
	root website
	log logs/access.log
	
	import root_cert
}

www.website.org {
	import wildcard_cert
	redir https://website.org{uri}
}

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.