SSL on subdomains are only wildcard, why?

I moved a new domain (transport-nantes.com) to cloudflare yesterday. Www works fine, www.beta does not. Reading here, I understand this is because cloudflare generates a single *.transport-nantes.com certificate. I confirm this:

host=www.transport-nantes.com
openssl s_client -servername "$host" -connect "$host":443 < /dev/null 2> /dev/null | openssl x509 -noout -text

I suppose this is easier, but why is this a good idea? SSL certificate generation has near-zero marginal cost and generating wildcard certificates only increases risk in case of certificate theft, no?

In addition, the strategy means that my subdomain broke, which was unexpected and wasn’t signaled on the DNS transfer dashboard.

Could this be related to CNAME flattening? Or am I way off?

@trichstir - Maybe, but I don’t follow how.

The case in point was www.beta.transport-nantes.com (currently not being cached by cloudflare to avoid SSL issues). We could just rename that host, it’s clearly for internal more than external use. The underlying host lives in another domain.

We set this host in cloudflare as a CNAME called www.beta pointing to beta.transport-nantes.com (which is an A record, which points to the underlying host nantes-4.p27.eu, which has rDNS back to nantes-4.p27.eu).

So maybe the right thing to do (if we wanted to preserve the name www.beta.transport-nantes.com) was to make a new domain called beta.transport-nantes.com and in that domain make a record for @ and www. Other DNS providers have gotten us in the habit of lazily creating the name www.beta for things like this.

As I said, the easiest thing for us to do is probably just to rename this one host. But I’m still curious (1) what we should have done and (2) why wildcard certificates are still a good idea in an age where certificates bear the cost of calculating their pub/priv key pair and that’s about it.

This is highly unlikely to happen, or be successful.

  1. Cloudflare would have to let the private key slip out.
  2. It also requires DNS to be hacked.
  3. In either of those cases, the attacker doesn’t need wildcard. They could spoof any of the explicit names as well.

The problem you’re facing is this:

2 Likes