Wildcard Certificate

From Roaring Penguin
Revision as of 14:09, 1 November 2017 by MCoyne (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Hosted CanIt offers MX records using this format:

Domain		Preference	MX Host
example.com	10		example-com-mf.canit.ca.
example.com	20		example-com-mg.canit.ca.
example.com	30		example-com-mh.canit.ca.
example.com	40		example-com-mi.canit.ca.

Hosted CanIt's servers have SSL certificates with Subject: CN = *.canit.ca. This is known as a wildcard certificate (or more properly a certificate with a wildcard subject name). An important limitation of wildcard certificates is that they only apply to the one level. *.canit.ca will match domain.canit.ca but not sub.domain.canit.ca.

MX Record Updates

In early days of Hosted CanIt we provided domain names with a dot separator instead of a dash separator as above.

For example, example.com.mf.canit.ca instead of example-com-mf.canit.ca.

As a result, some of our customers may still have their MX records published in the old format rather than the new format. Additionally, the difference may be hard to spot when troubleshooting certificate errors.

Certificate Errors

If the certificate doesn't match, you may see an error like this:

SSL verify error: certificate name mismatch: DN="/CN=*.canit.ca" H="example.com.mf.canit.ca.

... or perhaps even the less explicit SSL verify error: certificate name mismatch without the extra detail.

If you see this error, check the MX records first to ensure you don't have a case of dots versus dashes, as this is a likely cause.

Before contacting Roaring Penguin Technical Support, please check for this. Additionally, if you need to contact support, provide as much relevant detail as you can, including any bouncebacks, error messages from logs as above, or details from a specific email related to the error -- sender, recipient, subject, approximate date and time.