shared certificate not working for sub-sub-domains (..opalstacked.com)

Nnpd · Dec 7, 2020

I can add subdomains of my username.opalstacked.com domain, which is useful for initial setup of things like Gitea or testing/staging new sites. But when I create a site route for that sub-sub-domain, I can't get HTTPS working. If I select Let's Encrypt, I receive a notification that because it's below .opalstacked.com that it's just going to use the shared certificate. But my browser (Firefox) gives a security warning that the shared certificate is good for *.opalstacked.com but does not apply to test.username.opalstacked.com.

(This isn't blocking me at the moment, but it's an inconvenience for testing and setting up services before settling on a dedicated domain name.)

sean · Dec 7, 2020

What you're seeing is the documented behavior:

Note: as of 3 November 2020 we're no longer able to issue individual LE certificates for opalstacked.com domains due to rate-limits imposed by the LE service.

Because of this:

If all of the domains on the site are opalstacked.com subdomains, then the site will be switched to a shared opalstacked.com wildcard certificate.

If the site has opalstacked.com subdomains mixed with other domains, then the opalstacked.com subdomains will be omitted from the final certificate.

To work around it, either accept the certificate warning in your browser and go on with your testing, or make your own LE cert using the manual procedure in the documentation.