ACM Certificate with Wildcard does not Work for the Newly Created Subdomain

Question

My recent infrastructure had the following setup:

• A domain on Route53 as example.com.
• Several subdomains e.g. blog.example.com, dev.example.com etc.
• A certificate on ACM with *.example.com as its entry.

Everything worked as expected, until I was required to add another domain, e.g. abc.dev.example.com. SSL doesn't work on this newly created subdomain.

My previous experience suggests creating a new certificate for this new subdomain, it has worked for me earlier as well. But it doesn't seem to be a best practice. Can I refresh/update my current certificate to accommodate the new subdomain?

Answer 1

This is because wildcard SSL cert can only support one subdomain level. From docs:

When you request a wild card certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, *.example.com can protect login.example.com, and test.example.com, but it cannot protect test.login.example.com.

So in your case you need new certificate for *.dev.example.com.