FileZilla Forums

Why is that restriction for Hostnames that strict? With dynamic DNS, you will basically NEVER get a 2nd level domain name, but a subdomain URL, at best, like user.example.net. Plus, you also can't enter IPs directly.

With an externally generated certificate, all that is working beautifully.

At least means >= 2nd level. foo.baz.bar is a 3rd level domain name, hence >= 2nd level.

user.example.net is a 3rd-level domain name, which is at least a 2nd level domain name. First level domains are not supported as every domain name that is resolvable to an IP address is at least a 2nd level domain name.

IP addresses are not supported as TLS libraries don't typically use IP addresses in trust evaluation and also since SNI works based on hostnames.

Last but not least, Let's Encrypt has the same restrictions.

The error is a red herring, as I entered IPs in addition to my 3rd level domains.

With my external certificate, I can always enter IPs as ASNs, and they are recognized fine by FileZilla when I call the server using a (local) IP address (no red mismatch text in FileZilla). Locally, Hostnames do not always work for me.

IP addresses are not supported as TLS libraries don't typically use IP addresses in trust evaluation

Wouldn't that sentence mean that they are not prohibited and can be allowed?

and also since SNI works based on hostnames.

I don't give a fuck about that, locally.

Well, an IP address definitely isn't at least a second-level domain.

With my external certificate, I can always enter IPs as SANs, and they are recognized fine by FileZilla when I call the server using a (local) IP address

That is because there is no hostname to compare against to begin with. You can enter arbitrary IP addresses in your SANs, they are not evaluated at all. They are displayed in the client purely for display purposes.

Looks like it. Browsers seem to recognize IP sometimes, though.

Took them out of the ASNs. No need for them to be in, if FileZilla will accept the cert on IPs without complaining.