Changes to HTTP Approval and Automatically-Added Hostname
This change affects users of HTTP approval using SSLMate Basic. It does not affect SSLMate for SaaS users or those using email and DNS approval.
Background
When you order a certificate for a single hostname, SSLMate automatically
adds an additional hostname for the certificate to allow the same
certificate to be used with both a "bare" domain and the www subdomain.
For example:
| If you order: | SSLMate automatically adds: |
|---|---|
| example.com | www.example.com |
| www.example.com | example.com |
| sub.example.com | www.sub.example.com |
What's Changing
Previously, the reverse proxy rules for HTTP approval
only needed to be configured on the shorter of the two hostnames (the one without the www.
prefix). This was sufficient for validating the longer hostname (the one with the www. prefix)
as well.
Moving forward, it is necessary to configure the reverse proxy rules on both of the two hostnames. This is necessary to comply with new industry security regulations set by the CA/Browser Forum.
For example:
| Main Hostname: | Automatically-added hostname: | Hostname(s) that must be validated: | |
|---|---|---|---|
| Previously: | Now: | ||
| example.com | www.example.com | example.com | example.com AND www.example.com |
| www.example.com | example.com | example.com | example.com AND www.example.com |
| sub.example.com | www.sub.example.com | sub.example.com | sub.example.com AND www.sub.example.com |
What You Need To Do
If you need your certificate to secure both hostnames:
You must ensure that the reverse proxy rules for HTTP approval are configured on both hostnames. You can use the testing tool to make sure HTTP approval is correctly configured. You will not be able to buy, reissue, or renew certificates using HTTP approval unless the reverse proxy rules are correctly configured on both hostnames.
If you don't need your certificate to secure the second hostname:
For example, if you are an e-commerce SaaS provider and you order
certificates for subdomains like shop.yourcustomerdomain.example,
you don't need your certificates to secure www.shop.yourcustomerdomain.example.
When you order a new certificate, you must tell SSLMate not to add the second hostname automatically, as described below.
Before you can renew or reissue an existing certificate, you must tell SSLMate to remove the automatically-added hostname. You can follow the instructions below to do this yourself, or ask us to update all of your certificates for you.
Using SSLMate CLI 1.8.0 or higher:
When buying a new certificate, specify the --no-auto-san option, like this:
sslmate buy --no-auto-san shop.yourcustomerdomain.example
To update an existing certificate, run the sslmate edit command with --rm-name
to remove the unwanted second hostname, like this:
sslmate edit shop.yourcustomerdomain.example --rm-name www.shop.yourcustomerdomain.example
Using SSLMate CLI older than 1.8.0:
When buying a new certificate, specify the --multi option, like this:
sslmate buy --multi shop.yourcustomerdomain.example
To update an existing certificate, run the sslmate edit command with --multi like this:
sslmate edit shop.yourcustomerdomain.example --multi
Using the REST API:
When creating a certificate, set the sans field to [] in the request body.
To update an existing certificate, make a certificate update request with the sans field set to [] in the request body.
Temporary Exception for Existing Accounts
If your account has existing certificates that would be affected by this change, you have a temporary exception to this change until 2021-11-01 00:00 UTC to give you time to adapt your issuance procedures.
Getting Help
If you need any help or advice, please get in touch.