Godaddy wildcard certs...

Nick Pearson nick.pearson at gmail.com
Sat Feb 6 08:18:15 MSK 2010 

Here's the process I used.  I believe it is from an article at
articles.slicehost.com.

  # create private key with password (password to be removed later)
  openssl genrsa -des3 -out any.domain.com.key.with-password 2048

  # create CSR using key with password and *.domain.com as Common Name
  openssl req -new -key any.domain.com.key.with-password -out any.domain.com.csr

  # remove password from key
  openssl rsa -in any.domain.com.key.with-password -out any.domain.com.key

  # purchase cert from GoDaddy
  # download any.domain.com.crt and gd_bundle.crt
  # add .part to end of any.domain.com.crt filename

  # concatenate cert with GoDaddy bundle
  cat any.domain.com.crt.part gd_bundle.crt > any.domain.com.crt

  # copy cert and key to /etc/ssl
  cp any.domain.com.crt /etc/ssl/certs/
  cp any.domain.com.key /etc/ssl/private/

Hope that helps.


On Fri, Feb 5, 2010 at 10:43 PM, Michael Shadle <mike503 at gmail.com> wrote:
> How did you create /etc/ssl/certs/any.domain.com.crt?
>
> Happen to have your openssl commands or whatever you did to generate
> your CSR/etc there?
>
> Thanks, I have the same cert type, it's nice to know it's working. Not
> sure why it isn't for me.
>
>
>
>
> On Fri, Feb 5, 2010 at 7:07 PM, Nick Pearson <nick.pearson at gmail.com> wrote:
>> Sorry I don't have a lot to add, but I thought it worth mentioning
>> that I just bought and configured a GoDaddy wildcard SSL certificate a
>> couple weeks ago, and it's working without any issues.  I bought the
>> low-end ($199/yr) wildcard cert, in case that matters.  I'm running
>> nginx-0.8.29.
>>
>> Here's my config:
>>
>> server {
>>  listen       1.2.3.4:443;
>>  server_name  *.domain.com;
>>  ssl  on;
>>  ssl_certificate      /etc/ssl/certs/any.domain.com.crt;
>>  ssl_certificate_key  /etc/ssl/private/any.domain.com.key;
>>  ...
>> }
>>
>> >From what Firefox says, it almost sounds like GoDaddy gave you a
>> non-wildcard cert.  (I believe all their non-wildcard certs are valid
>> for both domain.com and www.domain.com.)
>>
>> Again, this likely isn't much help other than knowing that someone
>> else has this working.
>>
>> Nick
>>
>>
>>
>> On Fri, Feb 5, 2010 at 7:15 PM, Michael Shadle <mike503 at gmail.com> wrote:
>>> I'm trying to use a wildcard godaddy cert and having some issues. Once
>>> I changed the openssl CSR request to have "*.domain.com" instead of
>>> "domain.com" now I get an error when trying to start nginx:
>>>
>>> [emerg]: SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/domain.org.key")
>>> failed (SSL: error:0B080074:x509 certificate
>>> routines:X509_check_private_key:key values mismatch)
>>>
>>> Can anyone help?
>>>
>>> Here's the commands...
>>>
>>>
>>> # openssl genrsa 2048 > domain.org.key
>>> Generating RSA private key, 2048 bit long modulus
>>> ................+++
>>> .......................+++
>>> e is 65537 (0x10001)
>>>
>>> # openssl req -new -key domain.org.key > domain.org.csr
>>> You are about to be asked to enter information that will be incorporated
>>> into your certificate request.
>>> What you are about to enter is what is called a Distinguished Name or a DN.
>>> There are quite a few fields but you can leave some blank
>>> For some fields there will be a default value,
>>> If you enter '.', the field will be left blank.
>>> -----
>>> Country Name (2 letter code) [GB]:US
>>> State or Province Name (full name) [Berkshire]:.
>>> Locality Name (eg, city) [Newbury]:.
>>> Organization Name (eg, company) [My Company Ltd]:.
>>> Organizational Unit Name (eg, section) []:.
>>> Common Name (eg, your name or your server's hostname) []:*.domain.org
>>> Email Address []:my at email.com
>>>
>>>
>>> concatenating them all together:
>>>
>>> # cat domain.org.crt gd_bundle.crt > domain.org.pem
>>>
>>>
>>> I tried a random hostname... Firefox tells me this:
>>>
>>> wwww3.domain.org uses an invalid security certificate.
>>>
>>> The certificate is only valid for the following names:
>>>  domain.org , www.domain.org
>>>
>>> (Error code: ssl_error_bad_cert_domain)
>>>
>>>
>>> this is my config:
>>>
>>> server {
>>>   listen 80;
>>>   listen 10.122.47.104:443 ssl;
>>>   server_name domain.org *.domain.org;
>>>   root /home/redirects/web/redirects/domain;
>>>   index index.php;
>>>   location ~ \.php$ {
>>>      include /etc/nginx/fastcgi.conf;
>>>      fastcgi_pass 127.0.0.1:11030;
>>>   }
>>>   ssl_certificate /etc/nginx/certs/domain.org.crt;
>>>   ssl_certificate_key /etc/nginx/certs/domain.org.key;
>>>   ssl_protocols SSLv3 TLSv1;
>>>   ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
>>>   rewrite ^ /index.php?url=$host last;
>>> }
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://nginx.org/mailman/listinfo/nginx
>>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://nginx.org/mailman/listinfo/nginx
>>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx
>

More information about the nginx mailing list