Godaddy wildcard certs...

Sat Feb 6 08:00:34 MSK 2010

On Fri, Feb 5, 2010 at 8:43 PM, Michael Shadle <mike503 at gmail.com> wrote:
> How did you create /etc/ssl/certs/any.domain.com.crt?
>
> Happen to have your openssl commands or whatever you did to generate
> your CSR/etc there?
>
> Thanks, I have the same cert type, it's nice to know it's working. Not
> sure why it isn't for me.
>
>
>
>
> On Fri, Feb 5, 2010 at 7:07 PM, Nick Pearson <nick.pearson at gmail.com> wrote:
>> Sorry I don't have a lot to add, but I thought it worth mentioning
>> that I just bought and configured a GoDaddy wildcard SSL certificate a
>> couple weeks ago, and it's working without any issues.  I bought the
>> low-end ($199/yr) wildcard cert, in case that matters.  I'm running
>> nginx-0.8.29.
>>
>> Here's my config:
>>
>> server {
>>  listen       1.2.3.4:443;
>>  server_name  *.domain.com;
>>  ssl  on;
>>  ssl_certificate      /etc/ssl/certs/any.domain.com.crt;
>>  ssl_certificate_key  /etc/ssl/private/any.domain.com.key;
>>  ...
>> }
>>
>> >From what Firefox says, it almost sounds like GoDaddy gave you a
>> non-wildcard cert.  (I believe all their non-wildcard certs are valid
>> for both domain.com and www.domain.com.)
>>
>> Again, this likely isn't much help other than knowing that someone
>> else has this working.
>>
>> Nick
>>
>>
>>
>> On Fri, Feb 5, 2010 at 7:15 PM, Michael Shadle <mike503 at gmail.com> wrote:
>>> I'm trying to use a wildcard godaddy cert and having some issues. Once
>>> I changed the openssl CSR request to have "*.domain.com" instead of
>>> "domain.com" now I get an error when trying to start nginx:
>>>
>>> [emerg]: SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/domain.org.key")
>>> failed (SSL: error:0B080074:x509 certificate
>>> routines:X509_check_private_key:key values mismatch)
>>>
>>> Can anyone help?
>>>
>>> Here's the commands...
>>>
>>>
>>> # openssl genrsa 2048 > domain.org.key
>>> Generating RSA private key, 2048 bit long modulus
>>> ................+++
>>> .......................+++
>>> e is 65537 (0x10001)
>>>
>>> # openssl req -new -key domain.org.key > domain.org.csr
>>> You are about to be asked to enter information that will be incorporated
>>> into your certificate request.
>>> What you are about to enter is what is called a Distinguished Name or a DN.
>>> There are quite a few fields but you can leave some blank
>>> For some fields there will be a default value,
>>> If you enter '.', the field will be left blank.
>>> -----
>>> Country Name (2 letter code) [GB]:US
>>> State or Province Name (full name) [Berkshire]:.
>>> Locality Name (eg, city) [Newbury]:.
>>> Organization Name (eg, company) [My Company Ltd]:.
>>> Organizational Unit Name (eg, section) []:.
>>> Common Name (eg, your name or your server's hostname) []:*.domain.org
>>> Email Address []:my at email.com
>>>
>>>
>>> concatenating them all together:
>>>
>>> # cat domain.org.crt gd_bundle.crt > domain.org.pem
>>>
>>>
>>> I tried a random hostname... Firefox tells me this:
>>>
>>> wwww3.domain.org uses an invalid security certificate.
>>>
>>> The certificate is only valid for the following names:
>>>  domain.org , www.domain.org
>>>
>>> (Error code: ssl_error_bad_cert_domain)
>>>
>>>
>>> this is my config:
>>>
>>> server {
>>>   listen 80;
>>>   listen 10.122.47.104:443 ssl;
>>>   server_name domain.org *.domain.org;
>>>   root /home/redirects/web/redirects/domain;
>>>   index index.php;
>>>   location ~ \.php$ {
>>>      include /etc/nginx/fastcgi.conf;
>>>      fastcgi_pass 127.0.0.1:11030;
>>>   }
>>>   ssl_certificate /etc/nginx/certs/domain.org.crt;
>>>   ssl_certificate_key /etc/nginx/certs/domain.org.key;
>>>   ssl_protocols SSLv3 TLSv1;
>>>   ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
>>>   rewrite ^ /index.php?url=$host last;

That error sounds like it's trying to use a key that's not the same
key you generated the csr with.

What's the output of
openssl rsa -noout -modulus -in /etc/nginx/certs/domain.org.key
and
openssl x509 -noout -modulus -in /etc/nginx/certs/domain.org.crt
?