Losant Experience with Custom Domain SSL Certs - wildcard support?

Hi,
I have generated a SSL cert for an Experience custom domain using a LetsEncrypt wildcard cert to test with that works elsewhere, but get the error “failed to update experience domain! The certificate does not match the domain” when pasting in the private key (your “SSL key” value), the public key (your “SSL Certificate” value), and the Intermediate CA chain (your. "SSL Bundle). I am using the contents of the cert .pem files issued from the LetsEncrypt CA. The Domain FQDN name I am trying to use is “app-1.100011.[company domain name]”, and the wildcard cert was generated for “*.[company Domain name]”.

Does Losant Experience app custom domain names support a wildcard SSL cert? If so, is it just for a single sub-domain, or any number of sub-domains?

It’s very unclear in the documentation here - https://docs.losant.com/experiences/domains/#securing-your-domain

Thanks,
Andrew.

Just to add to this, I changed the custom domain to “app-1-100011.[company domain name]”, and now get a different error message stating “Bundle does not match the certificate.”. However, I can use the same LetsEncrypt pem files to create a valid Google GCP https Load Balancer certificate using the root and intermediate CA certs generated by LetsEncrypt.

Hey @Andrew_Leckie1,

Debugging SSL certificates is always a fun challenge. I can’t say for certain why yours isn’t being accepted, but I can describe the process I recently used for my own LetsEncrypt wildcard cert.

  1. Use the certbot Docker image to generate the certificate locally.
docker run -it --rm --name certbot \
  -v "/path/to/local/folder:/etc/letsencrypt" \
  -v "/path/to/local/folder:/var/lib/letsencrypt" \
  certbot/certbot certonly --manual --preferred-challenges dns

Follow the prompts and add the required TXT DNS entry that’s provided for verification.

This results in a local folder named live created inside /path/to/local/folder. It contains the key and certificate files. The important files are privkey.pem and fullchain.pem.

  1. Copy/paste the contents of privkey.pem into Losant’s SSL Key field.
  2. Copy/paste the contents of fullchain.pem into Losant’s SSL Certificate field.
  3. Leave the SSL Bundle field blank. Since the fullchain.pem contains all required certificates, there’s no need to separate them into the two different fields.

This process has been done a successfully a few times here at Losant.

In terms of your specific error: “Bundle does not match the certificate”. That would imply whatever is pasted into the SSL Bundle field does not match the certificate. One possibility is that you pasted the contents of fullchain.pem as the bundle. Since that file also contains the issued certificate, that would likely cause issues.

Hi Brandon,
a busy day here, but finally found some time to run some more tests on this. I was actually generating the LetsEncrypt test cert more or less as you are, but just from the command line on my Mac OS X workstation, using their DNS TXT record verification process. I didn’t (yet) set up the Docker instance, but after reading your reply, I immediately pasted the private key X.509 text into the Losant SSL Key field, and the LetsEncrypt second “0001_chain.pem” file that contains both the Intermediate CA X.509 key chain text, and the X.509 domain public key text within the file into the Losant SSL Certificate text box, and left the SSL Bundle text box empty when creating the secure custom domain in the Losant UI. That seemed to have done what was required, when I then went and used an SSL cert online analysis tool such as the SSL Labs one here - SSL Server Test (Powered by Qualys SSL Labs)

What is the intent of the SSL Bundle text box field within Losant?

I think it would be really good for Losant’s documentation or developer guidance to provide some working examples of configuring SSL from a few of the more well known CA’s, as this is an area a large amount of people trip up on. Sometimes CA’s produce certificate artefacts in different formats such as PKCS#7 or .cer/.der, and converting these to .pem X.509 files takes some ‘openssl foo’ to master as well.

Regards,
Andrew.

Hey @Andrew_Leckie1,

This is a great idea. We’ve put this on our list for future content. I’ve also created a ticket to update the documentation to give more information around securing an Experience Domain.

Thank you,
Heath

It would be great to reference this material also - Get your certificate chain right. As many know, certificates are not… | by Sebastiaan van Steenis | Medium

I’ll mark this as ‘solved’ for now.