Difference between revisions of "Wildcard Certificate"
(Create page with details about wildcard certificates like *.canit.ca)
Revision as of 14:06, 1 November 2017
Hosted CanIt offers MX records using this format:
Domain Preference MX Host example.com 10 example-com-mf.canit.ca. example.com 20 example-com-mg.canit.ca. example.com 30 example-com-mh.canit.ca. example.com 40 example-com-mi.canit.ca.
Hosted CanIt's servers have SSL certificates with
Subject: CN = *.canit.ca. This is known as a wildcard certificate (or more properly a certificate with a wildcard subject name). An important limitation of wildcard certificates is that they only apply to the one level.
*.canit.ca will match
domain.canit.ca but not
MX Record Updates
In early days of Hosted CanIt we provided domain names with a dot separator instead of a dash separator as above.
example.com.mf.canit.ca instead of
As a result, some of our customers may still have their MX records published in the old format rather than the new format. Additionally, the difference may be hard to spot when troubleshooting certificate errors.
If the certificate doesn't match, you may see an error like this:
SSL verify error: certificate name mismatch: DN="/CN=*.canit.ca" H="example.com.mf.canit.ca.
... or perhaps even the less explicit
SSL verify error: certificate name mismatch without the extra detail.
If you see this error, check the MX records first to ensure you don't have a case of dots versus dashes, as this is a likely cause.
Before contacting Roaring Penguin Technical Support, please check for this. Additionally, if you need to contact support, provide as much relevant detail as you can, including any bouncebacks, error messages from logs as above, or details from a specific email related to the error -- sender, recipient, subject, approximate date and time.