Question: why doesn't my wildcard matching work with OpenSSL?

Viktor Dukhovni openssl-users at
Mon Jun 10 19:14:59 UTC 2019

> On Jun 10, 2019, at 2:39 PM, Paul Smith <paul at> wrote:
> On Mon, 2019-06-10 at 14:23 -0400, Viktor Dukhovni wrote:
>>> $ openssl s_client -connect admin0.domain:8004 \
>>>     -CAfile ca.cert -verify_hostname admin0.domain
>>> ---
>>>     Verify return code: 62 (Hostname mismatch)
>> It seems that you've elided too much information.  Is the hostname
>> really "admin0.domain", or is there some underlying domain name
>> that you've obfuscated?
> I tried not to elide anything other than a lot of keys and stuff. 
> Maybe that info isn't output?
> That is actually the hostname (I have this running in a Docker
> container to get the hostname set up without a lot of hassle).

As a safety measure, OpenSSL does not support "*.tld" wildcards.
The non-wildcard portion of the domain name needs to have at
least two labels.  It seems I've neglected to document this... :-(

You can have "*.domain.example", but not "*.domain".


More information about the openssl-users mailing list