Godaddy wildcard certs...

Michael Shadle mike503 at gmail.com
Sat Feb 6 07:43:19 MSK 2010 

How did you create /etc/ssl/certs/any.domain.com.crt?

Happen to have your openssl commands or whatever you did to generate
your CSR/etc there?

Thanks, I have the same cert type, it's nice to know it's working. Not
sure why it isn't for me.




On Fri, Feb 5, 2010 at 7:07 PM, Nick Pearson <nick.pearson at gmail.com> wrote:
> Sorry I don't have a lot to add, but I thought it worth mentioning
> that I just bought and configured a GoDaddy wildcard SSL certificate a
> couple weeks ago, and it's working without any issues.  I bought the
> low-end ($199/yr) wildcard cert, in case that matters.  I'm running
> nginx-0.8.29.
>
> Here's my config:
>
> server {
>  listen       1.2.3.4:443;
>  server_name  *.domain.com;
>  ssl  on;
>  ssl_certificate      /etc/ssl/certs/any.domain.com.crt;
>  ssl_certificate_key  /etc/ssl/private/any.domain.com.key;
>  ...
> }
>
> >From what Firefox says, it almost sounds like GoDaddy gave you a
> non-wildcard cert.  (I believe all their non-wildcard certs are valid
> for both domain.com and www.domain.com.)
>
> Again, this likely isn't much help other than knowing that someone
> else has this working.
>
> Nick
>
>
>
> On Fri, Feb 5, 2010 at 7:15 PM, Michael Shadle <mike503 at gmail.com> wrote:
>> I'm trying to use a wildcard godaddy cert and having some issues. Once
>> I changed the openssl CSR request to have "*.domain.com" instead of
>> "domain.com" now I get an error when trying to start nginx:
>>
>> [emerg]: SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/domain.org.key")
>> failed (SSL: error:0B080074:x509 certificate
>> routines:X509_check_private_key:key values mismatch)
>>
>> Can anyone help?
>>
>> Here's the commands...
>>
>>
>> # openssl genrsa 2048 > domain.org.key
>> Generating RSA private key, 2048 bit long modulus
>> ................+++
>> .......................+++
>> e is 65537 (0x10001)
>>
>> # openssl req -new -key domain.org.key > domain.org.csr
>> You are about to be asked to enter information that will be incorporated
>> into your certificate request.
>> What you are about to enter is what is called a Distinguished Name or a DN.
>> There are quite a few fields but you can leave some blank
>> For some fields there will be a default value,
>> If you enter '.', the field will be left blank.
>> -----
>> Country Name (2 letter code) [GB]:US
>> State or Province Name (full name) [Berkshire]:.
>> Locality Name (eg, city) [Newbury]:.
>> Organization Name (eg, company) [My Company Ltd]:.
>> Organizational Unit Name (eg, section) []:.
>> Common Name (eg, your name or your server's hostname) []:*.domain.org
>> Email Address []:my at email.com
>>
>>
>> concatenating them all together:
>>
>> # cat domain.org.crt gd_bundle.crt > domain.org.pem
>>
>>
>> I tried a random hostname... Firefox tells me this:
>>
>> wwww3.domain.org uses an invalid security certificate.
>>
>> The certificate is only valid for the following names:
>>  domain.org , www.domain.org
>>
>> (Error code: ssl_error_bad_cert_domain)
>>
>>
>> this is my config:
>>
>> server {
>>   listen 80;
>>   listen 10.122.47.104:443 ssl;
>>   server_name domain.org *.domain.org;
>>   root /home/redirects/web/redirects/domain;
>>   index index.php;
>>   location ~ \.php$ {
>>      include /etc/nginx/fastcgi.conf;
>>      fastcgi_pass 127.0.0.1:11030;
>>   }
>>   ssl_certificate /etc/nginx/certs/domain.org.crt;
>>   ssl_certificate_key /etc/nginx/certs/domain.org.key;
>>   ssl_protocols SSLv3 TLSv1;
>>   ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
>>   rewrite ^ /index.php?url=$host last;
>> }
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://nginx.org/mailman/listinfo/nginx
>>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx
>

More information about the nginx mailing list