Unwanted SSL wild card DNS entry

shoulders · October 12, 2025, 7:47am

SYSTEM INFORMATION
OS type and version	Ubuntu Linux 22.04.5
Usermin version	2.400
Usermin version	2.510
Virtualmin version	7.40.1 Pro
Theme version	25.10
Apache version	2.4.52
Package updates	11 package updates are available

In my DNS records I have this line, but I don’t use wildcards

Questions

Where do I enable/disable wildcards? I can’t remember.
Should this record be present if I do not have wildcards enabled for this domain?

jimr1 · October 12, 2025, 8:06am

in the ssl providers tab on virtualmin → domain → manage virtualserver → Setup SSL Certificate

I shouldn’t worry about it, all my domains have it, my guess it’s added by virtualmin just in case you add a wildcard

shoulders · October 12, 2025, 8:52am

thanks for the pointers.

Joe · October 12, 2025, 3:26pm

That has nothing to do with wildcards. It’s a security feature.

dimitrist · October 12, 2025, 3:51pm

issuewild is for wildcard certs.
issue is for regular certs

Joe · October 12, 2025, 4:06pm

So, yes, but it’s about who can sign certs for your domain (wildcard or otherwise). It is not about whether you have wildcard certs.

But, it is surprising that we’re setting issuewild but not setting issue. Or are both present, and OP only posted about issuewild because they don’t have wildcards and was surprised to see that, maybe?

shoulders · October 12, 2025, 4:18pm

Part 1 solved, but should I have issuewild if I am not requesting a wild card.

I only have the CAA record.

dimitrist · October 12, 2025, 4:30pm

it doesn’t hurt, but if you don’t have wildcards in this domain, remove it.
just keep one CAA record with `issue’ .

dimitrist · October 12, 2025, 4:44pm

maybe if you select wild card ssl during ssl cert creation time, it creates just an issuewild record? (not sure about virtualmin part.)
this makes sense, you don’t need both CAA records if you create one wildcard for all subdomains.

shoulders · October 13, 2025, 11:05am

https://letsencrypt.org/docs/caa/#the-issue-and-issuewild-properties

Records with the issue tag simply control whether a CA can issue certificates for this domain and its subdomains. Generally this is the only record you need, as it controls both normal (e.g. “example.org”) and wildcard (e.g. “*.example.org”) issuance in the absence of any other records.

issue + letsencrypt.org = only allows letsencrypt.org to issue certs for my server

Records with the issuewild tag control whether a CA can issue wildcard certificates (e.g. “*.example.org”). You only need to use issuewild records if you want different permissions for wildcard and non-wildcard issuance.

This section is confusing and seems to make out issuewild is pointless. The descriptions here is not the best unless I am reading it wrong.

Is it for allowing a different provider to provide the wildcard cert as opposed to domain specific ones?

dimitrist · October 13, 2025, 11:16am

exactly. you could have providerA for wildcards and another cert providerB for a specific (sub)domain. you’d need both CAA records in this case. issuewild for A and issue for B.
for virtualmin, i guess issue is enough for most common scenarios.

shoulders · October 19, 2025, 3:17pm

github.com/virtualmin/virtualmin-gpl

Unwanted SSL wild card DNS entry

opened 03:16PM - 19 Oct 25 UTC

shoulders

| SYSTEM INFORMATION || |----------|----------| | OS type and version | Ubuntu… Linux 22.04.5 | | Usermin version | 2.400 | | Usermin version | 2.510 | | Virtualmin version | 7.40.1 Pro | | Theme version | 25.10 | | Apache version | 2.4.52 | | Package updates | 11 package updates are available | ### Background - Discussed here: https://forum.virtualmin.com/t/unwanted-ssl-wild-card-dns-entry/135482 - I do not use Wildcards and was surprised to see this. ### The issue In my DNS records I have this line, but I don’t use wildcards <img width="771" height="24" alt="Image" src="https://github.com/user-attachments/assets/624be411-b156-41c2-ad45-4b4f749748f2" /> ### Research from the thread `https://letsencrypt.org/docs/caa/#the-issue-and-issuewild-properties` > Records with the `issue` tag simply control whether a CA can issue certificates for this domain and its subdomains. Generally this is the only record you need, as it controls both normal (e.g. “example.org”) and wildcard (e.g. “*.example.org”) issuance in the absence of any other records. `issue` + `letsencrypt.org` = only allows **letsencrypt.org** to issue certs for my server > Records with the `issuewild` tag control whether a CA can issue *wildcard* certificates (e.g. “*.example.org”). You only need to use `issuewild` records if you want different permissions for wildcard and non-wildcard issuance. This section is confusing and seems to make out `issuewild` is pointless. The descriptions here is not the best unless I am reading it wrong. Is it for allowing a different provider to provide the wildcard cert as opposed to domain specific ones? ### My Thoughts - The DNS entry should use `issue` not `issuewild` - You only use `issuewild` when you want another provider to issue a wildcard certificate that is on a different provider to a parents CAA record.. - sub domains respect the parents CAA DNS entry and this allows an override of said parent. - I am not 100% the purpose of this setting Everything works currenty but it is an incorrect use of the setting unless I have missed something.

Posted it here. A small issue to go on the list.