Godaddy wildcard certs...

Sat Feb 6 06:07:55 MSK 2010

Sorry I don't have a lot to add, but I thought it worth mentioning
that I just bought and configured a GoDaddy wildcard SSL certificate a
couple weeks ago, and it's working without any issues.  I bought the
low-end ($199/yr) wildcard cert, in case that matters.  I'm running
nginx-0.8.29.

Here's my config:

server {
  listen       1.2.3.4:443;
  server_name  *.domain.com;
  ssl  on;
  ssl_certificate      /etc/ssl/certs/any.domain.com.crt;
  ssl_certificate_key  /etc/ssl/private/any.domain.com.key;
  ...
}

>From what Firefox says, it almost sounds like GoDaddy gave you a
non-wildcard cert.  (I believe all their non-wildcard certs are valid
for both domain.com and www.domain.com.)

Again, this likely isn't much help other than knowing that someone
else has this working.

Nick

On Fri, Feb 5, 2010 at 7:15 PM, Michael Shadle <mike503 at gmail.com> wrote:
> I'm trying to use a wildcard godaddy cert and having some issues. Once
> I changed the openssl CSR request to have "*.domain.com" instead of
> "domain.com" now I get an error when trying to start nginx:
>
> [emerg]: SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/domain.org.key")
> failed (SSL: error:0B080074:x509 certificate
> routines:X509_check_private_key:key values mismatch)
>
> Can anyone help?
>
> Here's the commands...
>
>
> # openssl genrsa 2048 > domain.org.key
> Generating RSA private key, 2048 bit long modulus
> ................+++
> .......................+++
> e is 65537 (0x10001)
>
> # openssl req -new -key domain.org.key > domain.org.csr
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [GB]:US
> State or Province Name (full name) [Berkshire]:.
> Locality Name (eg, city) [Newbury]:.
> Organization Name (eg, company) [My Company Ltd]:.
> Organizational Unit Name (eg, section) []:.
> Common Name (eg, your name or your server's hostname) []:*.domain.org
> Email Address []:my at email.com
>
>
> concatenating them all together:
>
> # cat domain.org.crt gd_bundle.crt > domain.org.pem
>
>
> I tried a random hostname... Firefox tells me this:
>
> wwww3.domain.org uses an invalid security certificate.
>
> The certificate is only valid for the following names:
>  domain.org , www.domain.org
>
> (Error code: ssl_error_bad_cert_domain)
>
>
> this is my config:
>
> server {
>   listen 80;
>   listen 10.122.47.104:443 ssl;
>   server_name domain.org *.domain.org;
>   root /home/redirects/web/redirects/domain;
>   index index.php;
>   location ~ \.php$ {
>      include /etc/nginx/fastcgi.conf;
>      fastcgi_pass 127.0.0.1:11030;
>   }
>   ssl_certificate /etc/nginx/certs/domain.org.crt;
>   ssl_certificate_key /etc/nginx/certs/domain.org.key;
>   ssl_protocols SSLv3 TLSv1;
>   ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
>   rewrite ^ /index.php?url=$host last;
> }
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx
>