AWS ACM wildcard ssl certificate not working on domain

John picture John · May 30, 2016 · Viewed 14.4k times · Source

I created a SSL certificate for my site using Amazon Certificate Manager. The certificate is for *.example.com. I have then attached this certificate to my ELB and have left the instance protocol as http. So SSL chain is only between the client and ELB. I have two A records in Route53. One for example.com one for www.example.com. Both of these are aliased to ELB. When I do https://www.example.com it works perfect. But when I do https://example.com I get the following error in FireFox:

"example.com uses an invalid security certificate. The certificate is only valid for *.example.com Error code: SSL_ERROR_BAD_CERT_DOMAIN"

Shouldn't the certificate *.example.com work for the address example.com? Am I missing something?

EDIT May 31, 2016

Thank you to Steffen Ullrich for setting me on the right track. The problem is when using the AWS Certificate Manager (ACM) in the console (web browser) there is no option to add the alternative names. For those having the same problem you need to use CLI (command line interface). A quick web search for "Install AWS CLI" will give you all the information you need to complete the installation. Once CLI is installed then you can run the ACM commands. Here is a link to the documentation:

http://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html

The command I used was:

aws acm request-certificate --domain-name www.example.com --subject-alternative-names example.com

Once the request was approved I was able to see the SSL certificate in the ACM web interface. I installed it and everything working like a charm now!

Answer

Steffen Ullrich picture Steffen Ullrich · May 30, 2016

A certificate for *.example.com matches whatever.example.com but not example.com only. This is because the * must match a label and example.com has no label in place of the *. If you want to match both whatever.example.com and example.com you need to create a certificate which has as subject alternative names both *.example.com and example.com.