ERR_SSL_PROTOCOL_ERROR using wildcard certificate

jascha · November 30, 2021, 1:56pm

I am getting a ERR_SSL_PROTOCOL_ERROR error when I only add the wildcard domain to certificates, e.G.

*.example.org

The certificate is correctly issued, but when I try to access app.staging.example.org I get the ERR_SSL_PROTOCOL_ERROR.

As soon as I add app.staging.example.org as a certificate as well, it works.

Shouldn’t it work as well just with the wildcard certificate so that I don’t need to explicit add subdomains?

sudhir.j · November 30, 2021, 3:10pm

Just to confirm, if you do fly certs list or open the app dashboard do you see the the wildcard cert has been fully validated and issued?

jascha · November 30, 2021, 3:24pm

Yes of course.

Unforuntately I can’t test if it works if I remove the app.staging.example.org certificate, because when I do remove it, it continues to be served under app.staging.example.org.

tobiasquinn · November 30, 2021, 3:37pm

I can confirm that I’m seeing the same thing. I only have a single certificate for the app so:
fly -a app-name certs list
gives:

Host Name                 Added                Status
*.xxxxxx.xxx              1 day ago            Ready

And the certificate is verified and ready when the app is viewed in the app dashboard.

Opening the site on a browser gives ERR_SSL_PROTOCOL_ERROR

tobiasquinn · December 1, 2021, 10:02am

I’ve found the solution to my particular issue:

I had only added the certificate ‘*.my-example-domain.com’ whereas I needed to add a ‘my-example-domain.com’ certificate as well to serve the apex domain as https.

Without the ‘my-example-domain.com’ certificate browsing to ‘https://my-example-domain.com’ returns the ERR_SSL_PROTOCOL_ERROR.

jascha · December 1, 2021, 11:30am

Thanks, but I think the error is different in my case, as I am not using an APEX domain but an actual subdomain instead, e.G. app.staging.example.org which in theory should be covered correctly by the wildcard *.example.org

charsleysa · December 1, 2021, 9:47pm

Wildcard certificates only cover one level of subdomain, so *.example.org would cover staging.example.org but not app.staging.example.org.

Wildcard certificate - Wikipedia

jascha · December 2, 2021, 7:46am

Thanks @charsleysa, that makes sense and I think I actually run into this before as well but didn’t think about it.

I have added the other wildcard domain now, e.G. *.staging.example.org but again unfortunately I am unable to test if it works as removing the certificate from the fly dashboard doesn’t actually remove it from being served by the application/proxy. @sudhir.j this might be a bug worth to investigate?

Topic		Replies	Views
custom domain gives ERR_SSL_PROTOCOL_ERROR but subdomain and fly.dev work Questions / Help	1	192	July 11, 2023
Wildcard domain doesnt handle traffic Questions / Help certificates	3	228	December 28, 2023
SSL Error for Certificate Host Names on NGINX Proxy Container Build debugging troubleshooting	3	1039	January 27, 2022
Wildcard certificates now valid for their non-wildcard form Fresh Produce certificates	2	591	February 20, 2023
Apex domain is not working Questions / Help	2	355	May 20, 2022

ERR_SSL_PROTOCOL_ERROR using wildcard certificate

Related topics