Firefox says Peer's Certificate has been revoked

Server NGINX
1

When attempting https connections to the server mail.cvcbike.org that
previously ran Apache and now runs nginx with the same certs, Firefox
browsers return this error:

Peer’s Certificate has been revoked.

(Error code: sec_error_revoked_certificate)

Other browsers (IE, Safari, Chrome) work without errors, and this
previously worked with Apache.

This server uses a GoDaddy bundled cert, and its hostname is one of the
alt DNS names listed in the GoDaddy cert.

Per this and other postings:

http://marc.info/?l=nginx&m=123281043101966&w=2

I concatenated the server’s cert and the godaddy cert:

cat server.crt gd_bundle.crt > mail.cvcbike.org.crt

and use that in the nginx.config:

ssl_certificate /etc/ssl/mail.cvcbike.org.crt;
ssl_certificate_key /etc/ssl/private/all.key;

But the Firefox error persists across restarts.

I’ve posted openssl output below for the two certs.

Thanks in advance for clues on fixing the cert error in Firefox.

dn

openssl x509 -noout -text -in server.crt

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a4:78:72:a4:4c:b2
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=Sign In, CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
Validity
Not Before: Nov 23 20:13:13 2009 GMT
Not After : Oct 14 14:03:22 2012 GMT
Subject: O=mail3.networktest.com, OU=Domain Control Validated,
CN=mail3.networktest.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:e2:a6:a3:99:99:4c:89:8c:99:26:ab:cd:ed:a6:
c6:96:b6:91:a7:f2:be:73:af:4a:cf:ce:23:da:8f:
04:91:41:c5:ad:c0:ed:1d:91:af:f2:ae:9d:8a:c5:
03:86:9e:0a:5b:17:10:66:c9:e8:1f:6a:e1:3b:0f:
6c:4c:70:10:da:eb:6f:eb:bb:05:c9:70:b6:82:08:
a5:c0:24:69:47:cb:52:50:e7:d8:01:66:d3:41:42:
ee:1d:68:51:e1:03:cd:cb:e2:21:01:a2:10:51:07:
26:c8:f6:73:6d:50:7e:eb:b7:b8:df:d7:a1:4b:9b:
20:5c:58:07:0e:77:e5:8f:25:0d:66:99:13:a5:34:
31:b0:77:a7:55:27:9a:a0:b1:70:2b:42:86:92:9a:
5b:eb:78:35:26:21:b2:8a:93:ea:15:c6:30:7f:9e:
b8:ab:47:2a:8f:43:3a:8b:55:d6:14:cf:0a:d5:bd:
ca:3d:58:2b:5c:7e:d6:d3:e1:d0:d3:16:24:7a:57:
a0:4c:ee:2c:87:5f:9b:75:a1:af:03:35:26:b1:ab:
1a:e8:82:e1:ea:29:04:ad:06:9a:67:f1:5e:c9:8b:
fd:24:79:40:45:b9:da:5e:b4:e1:8e:d2:ca:71:f0:
5b:a2:8a:32:14:49:48:c0:eb:44:65:e3:87:03:c5:
e3:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://crl.godaddy.com/gds1-11.crl

        X509v3 Certificate Policies:
            Policy: 2.16.840.1.114413.1.7.23.1
              CPS: http://certificates.godaddy.com/repository/

        Authority Information Access:
            OCSP - URI:http://ocsp.godaddy.com/
            CA Issuers -

URI:http://certificates.godaddy.com/repository/gd_intermediate.crt

        X509v3 Authority Key Identifier:

keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7

        X509v3 Subject Alternative Name:
            DNS: DNS:mail.cvcbike.org, DNS:lists.cvcbike.org
        X509v3 Subject Key Identifier:
            59:09:DF:F0:FD:E2:17:F8:0F:14:0A:A0:90:A9:1E:52:8E:E5:2D:E2
Signature Algorithm: sha1WithRSAEncryption
    51:6c:16:9d:d4:48:e8:1f:21:40:45:1e:dd:ca:3c:3f:a9:37:
    cb:28:de:96:c7:5d:28:e5:9b:b7:97:3d:b7:55:e7:53:62:82:
    65:ed:f7:11:e8:5e:3c:31:da:b1:5f:f8:c5:ec:86:68:da:5f:
    c6:9e:3a:e3:e4:fd:76:22:35:af:37:9e:f5:7b:2a:a6:8d:4d:
    6a:12:21:cd:28:1c:1b:80:24:05:8e:3f:8d:ae:7a:e4:f6:8b:
    ab:6d:a3:c8:8c:98:11:60:3d:7d:21:0e:69:f2:02:16:a9:b6:
    15:63:83:f6:f7:ff:f8:d8:e8:f4:4b:fa:e0:fc:f9:21:43:51:
    8c:ce:bb:47:c4:4d:71:6c:6e:07:74:54:79:c9:1a:1f:ca:b2:
    e8:9e:8e:9c:4c:11:27:54:b9:f9:31:06:d1:c1:a0:35:5b:21:
    f0:cd:7a:85:2a:03:ce:06:98:fc:9d:90:5f:3c:ee:7e:27:a1:
    38:fb:ac:2d:13:af:bb:12:bc:e6:6c:f8:97:2e:c6:55:ae:a3:
    a2:82:ea:4b:1c:64:0e:36:95:f2:fb:ad:08:89:37:3c:02:77:
    a7:d9:04:cb:1f:79:6d:b7:26:e7:de:8b:9e:ec:74:00:ab:af:
    e4:d6:06:c3:7d:81:19:b5:3c:16:1a:95:b9:39:ff:40:30:24:
    b5:b8:e8:9c

openssl x509 -noout -text -in gd_bundle.crt

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 769 (0x301)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2
Certification Authority
Validity
Not Before: Nov 16 01:54:37 2006 GMT
Not After : Nov 16 01:54:37 2026 GMT
Subject: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=Sign In, CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c4:2d:d5:15:8c:9c:26:4c:ec:32:35:eb:5f:b8:
59:01:5a:a6:61:81:59:3b:70:63:ab:e3:dc:3d:c7:
2a:b8:c9:33:d3:79:e4:3a:ed:3c:30:23:84:8e:b3:
30:14:b6:b2:87:c3:3d:95:54:04:9e:df:99:dd:0b:
25:1e:21:de:65:29:7e:35:a8:a9:54:eb:f6:f7:32:
39:d4:26:55:95:ad:ef:fb:fe:58:86:d7:9e:f4:00:
8d:8c:2a:0c:bd:42:04:ce:a7:3f:04:f6:ee:80:f2:
aa:ef:52:a1:69:66:da:be:1a:ad:5d:da:2c:66:ea:
1a:6b:bb:e5:1a:51:4a:00:2f:48:c7:98:75:d8:b9:
29:c8:ee:f8:66:6d:0a:9c:b3:f3:fc:78:7c:a2:f8:
a3:f2:b5:c3:f3:b9:7a:91:c1:a7:e6:25:2e:9c:a8:
ed:12:65:6e:6a:f6:12:44:53:70:30:95:c3:9c:2b:
58:2b:3d:08:74:4a:f2:be:51:b0:bf:87:d0:4c:27:
58:6b:b5:35:c5:9d:af:17:31:f8:0b:8f:ee:ad:81:
36:05:89:08:98:cf:3a:af:25:87:c0:49:ea:a7:fd:
67:f7:45:8e:97:cc:14:39:e2:36:85:b5:7e:1a:37:
fd:16:f6:71:11:9a:74:30:16:fe:13:94:a3:3f:84:
0d:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7
X509v3 Authority Key Identifier:

keyid:D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3

        X509v3 Basic Constraints: critical
            CA:TRUE, pathlen:0
        Authority Information Access:
            OCSP - URI:http://ocsp.godaddy.com

        X509v3 CRL Distribution Points:
            URI:http://certificates.godaddy.com/repository/gdroot.crl

        X509v3 Certificate Policies:
            Policy: X509v3 Any Policy
              CPS: http://certificates.godaddy.com/repository

        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
    d2:86:c0:ec:bd:f9:a1:b6:67:ee:66:0b:a2:06:3a:04:50:8e:
    15:72:ac:4a:74:95:53:cb:37:cb:44:49:ef:07:90:6b:33:d9:
    96:f0:94:56:a5:13:30:05:3c:85:32:21:7b:c9:c7:0a:a8:24:
    a4:90:de:46:d3:25:23:14:03:67:c2:10:d6:6f:0f:5d:7b:7a:
    cc:9f:c5:58:2a:c1:c4:9e:21:a8:5a:f3:ac:a4:46:f3:9e:e4:
    63:cb:2f:90:a4:29:29:01:d9:72:2c:29:df:37:01:27:bc:4f:
    ee:68:d3:21:8f:c0:b3:e4:f5:09:ed:d2:10:aa:53:b4:be:f0:
    cc:59:0b:d6:3b:96:1c:95:24:49:df:ce:ec:fd:a7:48:91:14:
    45:0e:3a:36:6f:da:45:b3:45:a2:41:c9:d4:d7:44:4e:3e:b9:
    74:76:d5:a2:13:55:2c:c6:87:a3:b5:99:ac:06:84:87:7f:75:
    06:fc:bf:14:4c:0e:cc:6e:c4:df:3d:b7:12:71:f4:e8:f1:51:
    40:22:28:49:e0:1d:4b:87:a8:34:cc:06:a2:dd:12:5a:d1:86:
    36:64:03:35:6f:6f:77:6e:eb:f2:85:50:98:5e:ab:03:53:ad:
    91:23:63:1f:16:9c:cd:b9:b2:05:63:3a:e1:f4:68:1b:17:05:
    35:95:53:ee

root@mail:ssl# openssl x509 -noout -text -in mail mail.cvcbike.org.crt

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a4:78:72:a4:4c:b2
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=Sign In, CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
Validity
Not Before: Nov 23 20:13:13 2009 GMT
Not After : Oct 14 14:03:22 2012 GMT
Subject: O=mail3.networktest.com, OU=Domain Control Validated,
CN=mail3.networktest.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:e2:a6:a3:99:99:4c:89:8c:99:26:ab:cd:ed:a6:
c6:96:b6:91:a7:f2:be:73:af:4a:cf:ce:23:da:8f:
04:91:41:c5:ad:c0:ed:1d:91:af:f2:ae:9d:8a:c5:
03:86:9e:0a:5b:17:10:66:c9:e8:1f:6a:e1:3b:0f:
6c:4c:70:10:da:eb:6f:eb:bb:05:c9:70:b6:82:08:
a5:c0:24:69:47:cb:52:50:e7:d8:01:66:d3:41:42:
ee:1d:68:51:e1:03:cd:cb:e2:21:01:a2:10:51:07:
26:c8:f6:73:6d:50:7e:eb:b7:b8:df:d7:a1:4b:9b:
20:5c:58:07:0e:77:e5:8f:25:0d:66:99:13:a5:34:
31:b0:77:a7:55:27:9a:a0:b1:70:2b:42:86:92:9a:
5b:eb:78:35:26:21:b2:8a:93:ea:15:c6:30:7f:9e:
b8:ab:47:2a:8f:43:3a:8b:55:d6:14:cf:0a:d5:bd:
ca:3d:58:2b:5c:7e:d6:d3:e1:d0:d3:16:24:7a:57:
a0:4c:ee:2c:87:5f:9b:75:a1:af:03:35:26:b1:ab:
1a:e8:82:e1:ea:29:04:ad:06:9a:67:f1:5e:c9:8b:
fd:24:79:40:45:b9:da:5e:b4:e1:8e:d2:ca:71:f0:
5b:a2:8a:32:14:49:48:c0:eb:44:65:e3:87:03:c5:
e3:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://crl.godaddy.com/gds1-11.crl

        X509v3 Certificate Policies:
            Policy: 2.16.840.1.114413.1.7.23.1
              CPS: http://certificates.godaddy.com/repository/

        Authority Information Access:
            OCSP - URI:http://ocsp.godaddy.com/
            CA Issuers -

URI:http://certificates.godaddy.com/repository/gd_intermediate.crt

        X509v3 Authority Key Identifier:

keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7

        X509v3 Subject Alternative Name:
                           DNS: DNS:mail.cvcbike.org,

DNS:lists.cvcbike.org

        X509v3 Subject Key Identifier:
            59:09:DF:F0:FD:E2:17:F8:0F:14:0A:A0:90:A9:1E:52:8E:E5:2D:E2
Signature Algorithm: sha1WithRSAEncryption
    51:6c:16:9d:d4:48:e8:1f:21:40:45:1e:dd:ca:3c:3f:a9:37:
    cb:28:de:96:c7:5d:28:e5:9b:b7:97:3d:b7:55:e7:53:62:82:
    65:ed:f7:11:e8:5e:3c:31:da:b1:5f:f8:c5:ec:86:68:da:5f:
    c6:9e:3a:e3:e4:fd:76:22:35:af:37:9e:f5:7b:2a:a6:8d:4d:
    6a:12:21:cd:28:1c:1b:80:24:05:8e:3f:8d:ae:7a:e4:f6:8b:
    ab:6d:a3:c8:8c:98:11:60:3d:7d:21:0e:69:f2:02:16:a9:b6:
    15:63:83:f6:f7:ff:f8:d8:e8:f4:4b:fa:e0:fc:f9:21:43:51:
    8c:ce:bb:47:c4:4d:71:6c:6e:07:74:54:79:c9:1a:1f:ca:b2:
    e8:9e:8e:9c:4c:11:27:54:b9:f9:31:06:d1:c1:a0:35:5b:21:
    f0:cd:7a:85:2a:03:ce:06:98:fc:9d:90:5f:3c:ee:7e:27:a1:
    38:fb:ac:2d:13:af:bb:12:bc:e6:6c:f8:97:2e:c6:55:ae:a3:
    a2:82:ea:4b:1c:64:0e:36:95:f2:fb:ad:08:89:37:3c:02:77:
    a7:d9:04:cb:1f:79:6d:b7:26:e7:de:8b:9e:ec:74:00:ab:af:
    e4:d6:06:c3:7d:81:19:b5:3c:16:1a:95:b9:39:ff:40:30:24:
    b5:b8:e8:9c
2

On Mon, Dec 20, 2010 at 01:29:08PM -0800, David Newman wrote:

and use that in the nginx.config:

ssl_certificate /etc/ssl/mail.cvcbike.org.crt;
ssl_certificate_key /etc/ssl/private/all.key;

But the Firefox error persists across restarts.

I’ve posted openssl output below for the two certs.

Thanks in advance for clues on fixing the cert error in Firefox.

I’m not sure, but probably the last (#3) GoDaddy certificate in the
bundle
may cause the issue. OpenSSL without preloaded certificate base
indicates
it as self signed:

openssl s_client -connect mail.cvcbike.org:443
CONNECTED(00000003)
depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert
Class 2 Policy Validation
Authority/CN=valicert.com - This website is for sale! - valicert Resources and Information.
verify error:num=19:self signed certificate in certificate chain
verify return:0

Certificate chain
0 s:/O=mail3.networktest.com/OU=Domain Control
Validated/CN=mail3.networktest.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=Sign In Daddy Secure
Certification Authority/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=Sign In Daddy Secure
Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification
Authority
2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification
Authority
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2
Policy Validation
Authority/CN=valicert.com - This website is for sale! - valicert Resources and Information.
3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2
Policy Validation
Authority/CN=valicert.com - This website is for sale! - valicert Resources and Information.
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2
Policy Validation
Authority/CN=valicert.com - This website is for sale! - valicert Resources and Information.


Igor S.
http://sysoev.ru/en/

3

On 12/20/10 1:41 PM, Igor S. wrote:

Certificate chain
0 s:/O=mail3.networktest.com/OU=Domain Control
Validated/CN=mail3.networktest.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=Sign In Daddy Secure
Certification Authority/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=Sign In Daddy Secure
Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification
Authority
2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification
Authority
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy
Validation Authority/CN=valicert.com - This website is for sale! - valicert Resources and Information.
3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy
Validation Authority/CN=valicert.com - This website is for sale! - valicert Resources and Information.
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy
Validation Authority/CN=valicert.com - This website is for sale! - valicert Resources and Information.

Thanks, Igor. I am checking now with GoDaddy and will report back.

dn

4

Hello!

On Mon, Dec 20, 2010 at 01:29:08PM -0800, David Newman wrote:

When attempting https connections to the server mail.cvcbike.org that
previously ran Apache and now runs nginx with the same certs, Firefox
browsers return this error:

Peer’s Certificate has been revoked.

(Error code: sec_error_revoked_certificate)

Other browsers (IE, Safari, Chrome) work without errors, and this
previously worked with Apache.

Most likely in other browsers you’ve disabled (or not enabled,
and it’s not enabled by default) certificate revocation checking.

[…]

openssl x509 -noout -text -in server.crt

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a4:78:72:a4:4c:b2

[…]

    Validity
        Not Before: Nov 23 20:13:13 2009 GMT
        Not After : Oct 14 14:03:22 2012 GMT
    Subject: O=mail3.networktest.com, OU=Domain Control Validated,

CN=mail3.networktest.com

[…]

        X509v3 CRL Distribution Points:
            URI:http://crl.godaddy.com/gds1-11.crl

It looks like revocation list in question includes this
certificate:

$ openssl crl -text -noout -inform DER -in gds1-11.crl

Serial Number: A47872A44CB2
Revocation Date: Jan 19 04:12:03 2010 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation

So your cert was revoked almost a year ago. I would worry about
browsers where it works - as it shouldn’t.

Maxim D.

5

On 12/20/10 3:34 PM, David Newman wrote:

On 12/20/10 1:41 PM, Igor S. wrote:

I’m not sure, but probably the last (#3) GoDaddy certificate in the bundle
may cause the issue. OpenSSL without preloaded certificate base indicates
it as self signed:

Thanks, Igor. I am checking now with GoDaddy and will report back.

Fixed now; the root problem was that GoDaddy had revoked the server
cert. Concatenated the new one with the GoDaddy bundle, restarted nginx,
and all is good.

Regarding the GoDaddy bundle:

Certificate chain

0 s:/O=mail3.networktest.com/OU=Domain Control
Validated/CN=mail3.networktest.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=Sign In Daddy Secure
Certification Authority/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=Sign In Daddy Secure
Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification
Authority
2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification
Authority
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy
Validation Authority/CN=valicert.com - This website is for sale! - valicert Resources and Information.
3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy
Validation Authority/CN=valicert.com - This website is for sale! - valicert Resources and Information.
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy
Validation Authority/CN=valicert.com - This website is for sale! - valicert Resources and Information.

GoDaddy claims the self-signed cert in the chain is a non-issue, and
that items in the chain are not listed sequentially. I do not have
enough info to agree or disagree with that assertion.

Thanks again!

dn

6

On 12/20/10 4:00 PM, Maxim D. wrote:

So your cert was revoked almost a year ago. I would worry about
browsers where it works - as it shouldn’t.

Indeed. I saw one reply in my searches suggesting the “solution” was to
disable OSCP in Firefox. Not a great answer. . .

Per my email to Igor, all is good now with a valid cert.

dn

7

On the topic of SSL;

Is there any possible way to run multiple certs on one IP?

I dont think this is possible as per the SPEC; But I am not an expert.

Thanks.

8

On 21 Dez 2010 00h17 WET, [email protected] wrote:

On Mon, 2010-12-20 at 16:01 -0800, David Newman wrote:

Somewhat off-topic, but I switched from Godaddy certs to using
https://www.thesslstore.com/ which sells non-chained certs for less
than Godaddy charges for chained ones (I paid around $10/year for a
RapidSSL cert vs $60/year for the Godaddy chained cert).

Adding to Cliff’s suggestion to avoid Godaddy’s god awful site, and if
you’re happy with a free level 1 cert, I suggest startssl.com. I’ve
been using their free level 1 certs in my sites without any issues so
far.

You can generate the CSR online or upload the one you generated
through using openssl or Gnu TLS certtool.

As a bonus you don’t have to navigate that gangrenous scab Godaddy
calls a website.

Definitely :slight_smile:

— appa

9

Hello!

On Mon, Dec 20, 2010 at 08:03:56PM -0500, David J. wrote:

On the topic of SSL;

Is there any possible way to run multiple certs on one IP?

I dont think this is possible as per the SPEC; But I am not an expert.

http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers

Maxim D.

10

On Mon, 2010-12-20 at 16:01 -0800, David Newman wrote:

Somewhat off-topic, but I switched from Godaddy certs to using
https://www.thesslstore.com/ which sells non-chained certs for less than
Godaddy charges for chained ones (I paid around $10/year for a RapidSSL
cert vs $60/year for the Godaddy chained cert).

As a bonus you don’t have to navigate that gangrenous scab Godaddy calls
a website.


Cliff W. [email protected]

11

On Tue, 2010-12-21 at 01:36 +0000, António P.P.Almeida wrote:

you’re happy with a free level 1 cert, I suggest startssl.com. I’ve
been using their free level 1 certs in my sites without any issues so
far.

Great pointer, thanks.


Cliff W. [email protected]

12

On 12/20/2010 05:03 PM, David J. wrote:

On the topic of SSL;

Is there any possible way to run multiple certs on one IP?

I dont think this is possible as per the SPEC; But I am not an expert.

Me neither, but there’s nothing wrong with this. The CN in a cert is
bound to a string such as a hostname, not to an IP address. (The string
could also be someone’s name, or any other text, including an IP address
– but as a text string). SSL works above the network layer and doesn’t
care about L3 addressing.

So, if you’ve got multiple virtual hosts on a single IP address, you
have a couple of choices:

a. Use one cert per virtual host

b. Use one cert for all virtual hosts and chain them using the
subjectAltName parameter in openssl.cnf. This is what I did on the
server in the original post in this thread.

Here’s a thread from a few years ago when I was getting (b) set up:

http://readlist.com/lists/openssl.org/openssl-users/0/4040.html

You can buy chained certs that do this from multiple registrars; I got
one from GoDaddy but concur with others’ description about the GD web
site.

dn

13

I was trying to take a second look at this.

I get this error (Error code: ssl_error_rx_record_too_long)

I am just testing the solution using self-signed certs.

Here is my server-blocks.

server {
index index.html;
listen 80;
listen 443;
server_name domain1.com;
root /var/www/www.domain1.com/;
access_log /var/log/nginx/domain1.com.access.log;

     ssl off;
     ssl_certificate /apps/ssl/domain1.crt;
     ssl_certificate_key /apps/ssl/domain1.key;
     #ssl_prefer_server_ciphers       on;
     #ssl_ciphers HIGH:!ADH;

     ...

}

server {
index index.html;
listen 80;
listen 443;
server_name domain2.com;
root /var/www/www.domain2.com/;
access_log /var/log/nginx/domain2.com.access.log;

     ssl off;
     ssl_certificate /apps/ssl/domain2.crt;
     ssl_certificate_key /apps/ssl/domain2.key;
     #ssl_prefer_server_ciphers       on;
     #ssl_ciphers HIGH:!ADH;

     ...

}