Forum: NGINX Godaddy wildcard certs...

I'm trying to use a wildcard godaddy cert and having some issues. Once
I changed the openssl CSR request to have "*.domain.com" instead of
"domain.com" now I get an error when trying to start nginx:

[emerg]: SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/domain.org.key")
failed (SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch)

Can anyone help?

Here's the commands...


# openssl genrsa 2048 > domain.org.key
Generating RSA private key, 2048 bit long modulus
................+++
.......................+++
e is 65537 (0x10001)

# openssl req -new -key domain.org.key > domain.org.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a 
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:.
Locality Name (eg, city) [Newbury]:.
Organization Name (eg, company) [My Company Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:*.domain.org
Email Address []:my@email.com


concatenating them all together:

# cat domain.org.crt gd_bundle.crt > domain.org.pem


I tried a random hostname... Firefox tells me this:

wwww3.domain.org uses an invalid security certificate.

The certificate is only valid for the following names:
  domain.org , www.domain.org

(Error code: ssl_error_bad_cert_domain)


this is my config:

server {
   listen 80;
   listen 10.122.47.104:443 ssl;
   server_name domain.org *.domain.org;
   root /home/redirects/web/redirects/domain;
   index index.php;
   location ~ \.php$ {
      include /etc/nginx/fastcgi.conf;
      fastcgi_pass 127.0.0.1:11030;
   }
   ssl_certificate /etc/nginx/certs/domain.org.crt;
   ssl_certificate_key /etc/nginx/certs/domain.org.key;
   ssl_protocols SSLv3 TLSv1;
   ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
   rewrite ^ /index.php?url=$host last;
}

Sorry I don't have a lot to add, but I thought it worth mentioning
that I just bought and configured a GoDaddy wildcard SSL certificate a
couple weeks ago, and it's working without any issues.  I bought the
low-end ($199/yr) wildcard cert, in case that matters.  I'm running
nginx-0.8.29.

Here's my config:

server {
  listen       1.2.3.4:443;
  server_name  *.domain.com;
  ssl  on;
  ssl_certificate      /etc/ssl/certs/any.domain.com.crt;
  ssl_certificate_key  /etc/ssl/private/any.domain.com.key;
  ...
}

>From what Firefox says, it almost sounds like GoDaddy gave you a
non-wildcard cert.  (I believe all their non-wildcard certs are valid
for both domain.com and www.domain.com.)

Again, this likely isn't much help other than knowing that someone
else has this working.

Nick

How did you create /etc/ssl/certs/any.domain.com.crt?

Happen to have your openssl commands or whatever you did to generate
your CSR/etc there?

Thanks, I have the same cert type, it's nice to know it's working. Not
sure why it isn't for me.

On Fri, Feb 5, 2010 at 8:43 PM, Michael Shadle <mike503@gmail.com> 
wrote:
>
>>  listen       1.2.3.4:443;
>>
>>> "domain.com" now I get an error when trying to start nginx:
>>> # openssl genrsa 2048 > domain.org.key
>>> For some fields there will be a default value,
>>>
>>>  domain.org , www.domain.org
>>>   root /home/redirects/web/redirects/domain;
>>>   index index.php;
>>>   location ~ \.php$ {
>>>      include /etc/nginx/fastcgi.conf;
>>>      fastcgi_pass 127.0.0.1:11030;
>>>   }
>>>   ssl_certificate /etc/nginx/certs/domain.org.crt;
>>>   ssl_certificate_key /etc/nginx/certs/domain.org.key;
>>>   ssl_protocols SSLv3 TLSv1;
>>>   ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
>>>   rewrite ^ /index.php?url=$host last;

That error sounds like it's trying to use a key that's not the same
key you generated the csr with.

What's the output of
openssl rsa -noout -modulus -in /etc/nginx/certs/domain.org.key
and
openssl x509 -noout -modulus -in /etc/nginx/certs/domain.org.crt
?

This article might be of help:
http://nginx.org/en/docs/http/configuring_https_servers.html

On 06.02.2010, at 8:00, Mark Moseley wrote:

> On Fri, Feb 5, 2010 at 8:43 PM, Michael Shadle <mike503@gmail.com> wrote:
>> How did you create /etc/ssl/certs/any.domain.com.crt?
>> 
>> Happen to have your openssl commands or whatever you did to generate
>> your CSR/etc there?
>> 
>> Thanks, I have the same cert type, it's nice to know it's working. Not
>> sure why it isn't for me.
>> 
[…]

Peter.

On Fri, Feb 5, 2010 at 9:00 PM, Mark Moseley <moseleymark@gmail.com> 
wrote:

> What's the output of
> openssl rsa -noout -modulus -in /etc/nginx/certs/domain.org.key
> and
> openssl x509 -noout -modulus -in /etc/nginx/certs/domain.org.crt

nope - i redid it multiple times, and just did what you said and it
came out a match.

also, nginx would barf if the key didn't match i believe.

Yeah when connecting I get this:

Verify return code: 19 (self signed certificate in certificate chain)

which is odd; this is the bundle from Godaddy.

www.domain.org and domain.org have no issues, if I view the cert it
shows me "server alternate names" as being both of those - but if I
try any other aliases it won't work.

Here's the process I used.  I believe it is from an article at
articles.slicehost.com.

  # create private key with password (password to be removed later)
  openssl genrsa -des3 -out any.domain.com.key.with-password 2048

  # create CSR using key with password and *.domain.com as Common Name
  openssl req -new -key any.domain.com.key.with-password -out 
any.domain.com.csr

  # remove password from key
  openssl rsa -in any.domain.com.key.with-password -out 
any.domain.com.key

  # purchase cert from GoDaddy
  # download any.domain.com.crt and gd_bundle.crt
  # add .part to end of any.domain.com.crt filename

  # concatenate cert with GoDaddy bundle
  cat any.domain.com.crt.part gd_bundle.crt > any.domain.com.crt

  # copy cert and key to /etc/ssl
  cp any.domain.com.crt /etc/ssl/certs/
  cp any.domain.com.key /etc/ssl/private/

Hope that helps.