From c4f873a371b716afc5c9fb4e58982b38d9392117 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <hi@filippo.io>
Date: Tue, 3 Jul 2018 16:55:12 -0400
Subject: [PATCH] Add a warning for second-level wildcards

Fixes #30
---
 cert.go | 5 +++++
 main.go | 5 ++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/cert.go b/cert.go
index d8ef898..a7e9abe 100644
--- a/cert.go
+++ b/cert.go
@@ -12,6 +12,7 @@ import (
 	"net"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -74,9 +75,13 @@ func (m *mkcert) makeCert(hosts []string) {
 		&pem.Block{Type: "CERTIFICATE", Bytes: cert}), 0644)
 	fatalIfErr(err, "failed to save certificate key")
 
+	secondLvlWildcardRegexp := regexp.MustCompile(`(?i)^\*\.[0-9a-z_-]+$`)
 	log.Printf("\nCreated a new certificate valid for the following names 📜")
 	for _, h := range hosts {
 		log.Printf(" - %q", h)
+		if secondLvlWildcardRegexp.MatchString(h) {
+			log.Printf("   Warning: many browsers don't support second-level wildcards like %q ⚠️", h)
+		}
 	}
 	log.Printf("\nThe certificate is at \"./%s.pem\" and the key at \"./%s-key.pem\" ✅\n\n", filename, filename)
 }
diff --git a/main.go b/main.go
index 9b13e13..c3f167f 100644
--- a/main.go
+++ b/main.go
@@ -113,10 +113,9 @@ Change the CA certificate and key storage location by setting $CAROOT.
 			log.Fatalf("ERROR: %q is not a valid hostname or IP: %s", name, err)
 		}
 		args[i] = punycode
-		if hostnameRegexp.MatchString(punycode) {
-			continue
+		if !hostnameRegexp.MatchString(punycode) {
+			log.Fatalf("ERROR: %q is not a valid hostname or IP", name)
 		}
-		log.Fatalf("ERROR: %q is not a valid hostname or IP", name)
 	}
 
 	m.makeCert(args)