I am planing to create a certificate for the domain *.svc.databaker.io and a web service, that will have the DNS name dev.user.svc.databaker.io.
The question is, will the certificate *.svc.databaker.io valid for dev.user.svc.databaker.io
Update
Assume I am going to create a certificate for DNS Zones as descripts on https://cert-manager.io/docs/configuration/acme/#dns-zones. For instance,
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
...
solvers:
- dns01:
cloudflare:
email: user@example.com
apiKeySecretRef:
name: cloudflare-apikey-secret
key: apikey
selector:
dnsZones:
- 'databaker.io'
Will the certificate be valid also for user.dev.svc.databaker.io?
No, wildcards only match one label, see RFC 6125 for details, specifically:
2. If the wildcard character is the only character of the left-most
label in the presented identifier, the client SHOULD NOT compare
against anything but the left-most label of the reference
identifier (e.g., *.example.com would match foo.example.com but
not bar.foo.example.com or example.com).
Their example of how not to match exactly covers your use case.
A certificate with CN or SAN *.svc.databaker.io will not match dev.user.svc.databaker.io.