Changes to HTTP Approval and Automatically-Added Hostname

This change affects users of HTTP approval using SSLMate Basic. It does not affect SSLMate for SaaS users or those using email and DNS approval.

Background

When you order a certificate for a single hostname, SSLMate automatically adds an additional hostname for the certificate to allow the same certificate to be used with both a "bare" domain and the www subdomain.

For example:

If you order: SSLMate automatically adds:
example.com www.example.com
www.example.com example.com
sub.example.com www.sub.example.com

What's Changing

Previously, the reverse proxy rules for HTTP approval only needed to be configured on the shorter of the two hostnames (the one without the www. prefix). This was sufficient for validating the longer hostname (the one with the www. prefix) as well.

Moving forward, it is necessary to configure the reverse proxy rules on both of the two hostnames. This is necessary to comply with new industry security regulations set by the CA/Browser Forum.

For example:

Main Hostname: Automatically-added hostname: Hostname(s) that must be validated:
Previously: Now:
example.com www.example.com example.com example.com AND www.example.com
www.example.com example.com example.com example.com AND www.example.com
sub.example.com www.sub.example.com sub.example.com sub.example.com AND www.sub.example.com

What You Need To Do

If you need your certificate to secure both hostnames:

You must ensure that the reverse proxy rules for HTTP approval are configured on both hostnames. You can use the testing tool to make sure HTTP approval is correctly configured. You will not be able to buy, reissue, or renew certificates using HTTP approval unless the reverse proxy rules are correctly configured on both hostnames.

If you don't need your certificate to secure the second hostname:

For example, if you are an e-commerce SaaS provider and you order certificates for subdomains like shop.yourcustomerdomain.example, you don't need your certificates to secure www.shop.yourcustomerdomain.example.

When you order a new certificate, you must tell SSLMate not to add the second hostname automatically, as described below.

Before you can renew or reissue an existing certificate, you must tell SSLMate to remove the automatically-added hostname. You can follow the instructions below to do this yourself, or ask us to update all of your certificates for you.

Using SSLMate CLI 1.8.0 or higher:

When buying a new certificate, specify the --no-auto-san option, like this:

sslmate buy --no-auto-san shop.yourcustomerdomain.example

To update an existing certificate, run the sslmate edit command with --rm-name to remove the unwanted second hostname, like this:

sslmate edit shop.yourcustomerdomain.example --rm-name www.shop.yourcustomerdomain.example
Using SSLMate CLI older than 1.8.0:

When buying a new certificate, specify the --multi option, like this:

sslmate buy --multi shop.yourcustomerdomain.example

To update an existing certificate, run the sslmate edit command with --multi like this:

sslmate edit shop.yourcustomerdomain.example --multi
Using the REST API:

When creating a certificate, set the sans field to [] in the request body.

To update an existing certificate, make a certificate update request with the sans field set to [] in the request body.

Temporary Exception for Existing Accounts

If your account has existing certificates that would be affected by this change, you have a temporary exception to this change until 2021-10-01 00:00 UTC to give you time to adapt your issuance procedures.

Getting Help

If you need any help or advice, please get in touch.