sslx509certificateself-signedwildcard-subdomain

wildcard subdomains for home.arpa considered invalid by Chrome


I have created a new self signed server cert as the old old expired. To my surprise, the wildcard domain name is rejected by Google Chrome with an error "NET::ERR_CERT_COMMON_NAME_INVALID" but the same certificate works with IP. Please help me out.

Failed domains include gateway.home.arpa, webmin.home.arpa, and so on.

Working IPs: 10.27.0.50, 10.27.0.40.

Here is the content of the certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            36:30:b2:02:2c:13:c5:7f:1a:98:31:23:73:58:b2:a3:ed:47:d1:e7
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=GB, ST=[Redacted], L=[Redacted], O=[Redacted], OU=[Redacted], CN=[Redacted]
        Validity
            Not Before: Mar 13 21:56:31 2025 GMT
            Not After : Apr 15 21:56:31 2026 GMT
        Subject: C=[Redacted], ST=[Redacted], L=[Redacted], O=[Redacted], CN=.home.arpa
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    [Redacted]
                Exponent: [Redacted]
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                [Redacted]
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:home.arpa, DNS:*.home.arpa, IP Address:10.27.0.1, IP Address:10.27.0.2, IP Address:10.27.0.3, IP Address:10.27.0.4, IP Address:10.27.0.5, IP Address:10.27.0.6, IP Address:10.27.0.7, IP Address:10.27.0.8, IP Address:10.27.0.9, IP Address:10.27.0.10, IP Address:10.27.0.11, IP Address:10.27.0.12, IP Address:10.27.0.13, IP Address:10.27.0.14, IP Address:10.27.0.15, IP Address:10.27.0.16, IP Address:10.27.0.17, IP Address:10.27.0.18, IP Address:10.27.0.19, IP Address:10.27.0.20, IP Address:10.27.0.21, IP Address:10.27.0.22, IP Address:10.27.0.23, IP Address:10.27.0.24, IP Address:10.27.0.25, IP Address:10.27.0.26, IP Address:10.27.0.27, IP Address:10.27.0.28, IP Address:10.27.0.29, IP Address:10.27.0.30, IP Address:10.27.0.31, IP Address:10.27.0.32, IP Address:10.27.0.33, IP Address:10.27.0.34, IP Address:10.27.0.35, IP Address:10.27.0.36, IP Address:10.27.0.37, IP Address:10.27.0.38, IP Address:10.27.0.39, IP Address:10.27.0.40, IP Address:10.27.0.41, IP Address:10.27.0.42, IP Address:10.27.0.43, IP Address:10.27.0.44, IP Address:10.27.0.45, IP Address:10.27.0.46, IP Address:10.27.0.47, IP Address:10.27.0.48, IP Address:10.27.0.49, IP Address:10.27.0.50, IP Address:10.27.0.51, IP Address:10.27.0.52, IP Address:10.27.0.53, IP Address:10.27.0.54, IP Address:10.27.0.55, IP Address:10.27.0.56, IP Address:10.27.0.57, IP Address:10.27.0.58, IP Address:10.27.0.59, IP Address:10.27.0.60, IP Address:10.27.0.61, IP Address:10.27.0.62, IP Address:10.27.0.63, IP Address:10.27.0.64, IP Address:10.27.0.65, IP Address:10.27.0.66, IP Address:10.27.0.67, IP Address:10.27.0.68, IP Address:10.27.0.69, IP Address:10.27.0.70, IP Address:10.27.0.71, IP Address:10.27.0.72, IP Address:10.27.0.73, IP Address:10.27.0.74, IP Address:10.27.0.75, IP Address:10.27.0.76, IP Address:10.27.0.77, IP Address:10.27.0.78, IP Address:10.27.0.79, IP Address:10.27.0.80, IP Address:10.27.0.81, IP Address:10.27.0.82, IP Address:10.27.0.83, IP Address:10.27.0.84, IP Address:10.27.0.85, IP Address:10.27.0.86, IP Address:10.27.0.87, IP Address:10.27.0.88, IP Address:10.27.0.89, IP Address:10.27.0.90, IP Address:10.27.0.91, IP Address:10.27.0.92, IP Address:10.27.0.93, IP Address:10.27.0.94, IP Address:10.27.0.95, IP Address:10.27.0.96, IP Address:10.27.0.97, IP Address:10.27.0.98, IP Address:10.27.0.99, IP Address:10.27.0.100, IP Address:10.27.0.101, IP Address:10.27.0.102, IP Address:10.27.0.103, IP Address:10.27.0.104, IP Address:10.27.0.105, IP Address:10.27.0.106, IP Address:10.27.0.107, IP Address:10.27.0.108, IP Address:10.27.0.109, IP Address:10.27.0.110, IP Address:10.27.0.111, IP Address:10.27.0.112, IP Address:10.27.0.113, IP Address:10.27.0.114, IP Address:10.27.0.115, IP Address:10.27.0.116, IP Address:10.27.0.117, IP Address:10.27.0.118, IP Address:10.27.0.119, IP Address:10.27.0.120, IP Address:10.27.0.121, IP Address:10.27.0.122, IP Address:10.27.0.123, IP Address:10.27.0.124, IP Address:10.27.0.125, IP Address:10.27.0.126, IP Address:10.27.0.127, IP Address:10.27.0.128, IP Address:10.27.0.129, IP Address:10.27.0.130, IP Address:10.27.0.131, IP Address:10.27.0.132, IP Address:10.27.0.133, IP Address:10.27.0.134, IP Address:10.27.0.135, IP Address:10.27.0.136, IP Address:10.27.0.137, IP Address:10.27.0.138, IP Address:10.27.0.139, IP Address:10.27.0.140, IP Address:10.27.0.141, IP Address:10.27.0.142, IP Address:10.27.0.143, IP Address:10.27.0.144, IP Address:10.27.0.145, IP Address:10.27.0.146, IP Address:10.27.0.147, IP Address:10.27.0.148, IP Address:10.27.0.149, IP Address:10.27.0.150, IP Address:10.27.0.151, IP Address:10.27.0.152, IP Address:10.27.0.153, IP Address:10.27.0.154, IP Address:10.27.0.155, IP Address:10.27.0.156, IP Address:10.27.0.157, IP Address:10.27.0.158, IP Address:10.27.0.159, IP Address:10.27.0.160, IP Address:10.27.0.161, IP Address:10.27.0.162, IP Address:10.27.0.163, IP Address:10.27.0.164, IP Address:10.27.0.165, IP Address:10.27.0.166, IP Address:10.27.0.167, IP Address:10.27.0.168, IP Address:10.27.0.169, IP Address:10.27.0.170, IP Address:10.27.0.171, IP Address:10.27.0.172, IP Address:10.27.0.173, IP Address:10.27.0.174, IP Address:10.27.0.175, IP Address:10.27.0.176, IP Address:10.27.0.177, IP Address:10.27.0.178, IP Address:10.27.0.179, IP Address:10.27.0.180, IP Address:10.27.0.181, IP Address:10.27.0.182, IP Address:10.27.0.183, IP Address:10.27.0.184, IP Address:10.27.0.185, IP Address:10.27.0.186, IP Address:10.27.0.187, IP Address:10.27.0.188, IP Address:10.27.0.189, IP Address:10.27.0.190, IP Address:10.27.0.191, IP Address:10.27.0.192, IP Address:10.27.0.193, IP Address:10.27.0.194, IP Address:10.27.0.195, IP Address:10.27.0.196, IP Address:10.27.0.197, IP Address:10.27.0.198, IP Address:10.27.0.199, IP Address:10.27.0.200, IP Address:10.27.0.201, IP Address:10.27.0.202, IP Address:10.27.0.203, IP Address:10.27.0.204, IP Address:10.27.0.205, IP Address:10.27.0.206, IP Address:10.27.0.207, IP Address:10.27.0.208, IP Address:10.27.0.209, IP Address:10.27.0.210, IP Address:10.27.0.211, IP Address:10.27.0.212, IP Address:10.27.0.213, IP Address:10.27.0.214, IP Address:10.27.0.215, IP Address:10.27.0.216, IP Address:10.27.0.217, IP Address:10.27.0.218, IP Address:10.27.0.219, IP Address:10.27.0.220, IP Address:10.27.0.221, IP Address:10.27.0.222, IP Address:10.27.0.223, IP Address:10.27.0.224, IP Address:10.27.0.225, IP Address:10.27.0.226, IP Address:10.27.0.227, IP Address:10.27.0.228, IP Address:10.27.0.229, IP Address:10.27.0.230, IP Address:10.27.0.231, IP Address:10.27.0.232, IP Address:10.27.0.233, IP Address:10.27.0.234, IP Address:10.27.0.235, IP Address:10.27.0.236, IP Address:10.27.0.237, IP Address:10.27.0.238, IP Address:10.27.0.239, IP Address:10.27.0.240, IP Address:10.27.0.241, IP Address:10.27.0.242, IP Address:10.27.0.243, IP Address:10.27.0.244, IP Address:10.27.0.245, IP Address:10.27.0.246, IP Address:10.27.0.247, IP Address:10.27.0.248, IP Address:10.27.0.249, IP Address:10.27.0.250, IP Address:10.27.0.251, IP Address:10.27.0.252, IP Address:10.27.0.253, IP Address:10.27.0.254
            X509v3 Subject Key Identifier: 
                [Redacted]
    Signature Algorithm: sha512WithRSAEncryption
    Signature Value:
        [Redacted]
-----BEGIN CERTIFICATE-----
[Redacted]
-----END CERTIFICATE-----

Solution

  • home.arpa is specifically mentioned in the Public Suffix List, which means it should be treated like a top-level domain and cannot be directly used. This is similar to co.uk and others. .home.arpa works similarly to .home TLD and is intended as its replacement - see RFC 8375. This means that you can have your own domain only below .home.arpa and only have wildcards below your domain - like foo.home.arpa and *.foo.home.arpa. And only these can be SAN of the certificate, not home.arpa and *.home.arpa directly.