A wildcard certificate does not cover the root domain

[styxit]

A wildcard certificate is not valid for the root domain.

The certificate *.example.com is NOT valid for the domain example.com

It would only be valid if contained an additional SAN to cover the root domain.

According to the this RFC, a wildcard certificate does not cover the root domain.
https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3

If the wildcard character is the only character of the left-most label in the presented identifier, the client SHOULD NOT compare against anything but the left-most label of the reference identifier (e.g., *.example.com would match foo.example.com but not bar.foo.example.com or example.com).

Where te last line describes the problem "*.example.com would match foo.example.com but not bar.foo.example.com or example.com"

The tests have been updated where the certificate that is being used contains a SAN for *.otherdomain.com. The subdomains www.otherdomain.com and another.otherdomain.com are valid, but the root domain otherdomain.com not.

---

• To see the specific tasks where the Asana app for GitHub is being used, see below:
  • https://app.asana.com/0/0/1210058427510104

[freekmurze]

Thanks!

@mattiasgeniar could you review this one?

[mattiasgeniar]

Nice catch @styxit , you're right!

The test is also good, since the certificate loaded in the test covers "spatie.be" as well as "*.otherdomain.com" in the subjectAltName, it's correctly validating the fact that the root domain is not covered by that certificate.

Seems good to merge @freekmurze .

[freekmurze]

Thanks!