Godaddy wildcard certs

I’m trying to use a wildcard godaddy cert and having some issues. Once
I changed the openssl CSR request to have “*.domain.com” instead of
domain.com” now I get an error when trying to start nginx:

failed (SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch)

Can anyone help?

Here’s the commands…

openssl genrsa 2048 > domain.org.key

Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)

openssl req -new -key domain.org.key > domain.org.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:.
Locality Name (eg, city) [Newbury]:.
Organization Name (eg, company) [My Company Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server’s hostname) []:*.domain.org
Email Address []:[email protected]

concatenating them all together:

cat domain.org.crt gd_bundle.crt > domain.org.pem

I tried a random hostname… Firefox tells me this:

wwww3.domain.org uses an invalid security certificate.

The certificate is only valid for the following names:
domain.org , www.domain.org

(Error code: ssl_error_bad_cert_domain)

this is my config:

server {
listen 80;
listen 10.122.47.104:443 ssl;
server_name domain.org *.domain.org;
root /home/redirects/web/redirects/domain;
index index.php;
location ~ .php$ {
include /etc/nginx/fastcgi.conf;
fastcgi_pass 127.0.0.1:11030;
}
ssl_certificate /etc/nginx/certs/domain.org.crt;
ssl_certificate_key /etc/nginx/certs/domain.org.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
rewrite ^ /index.php?url=$host last;
}

Sorry I don’t have a lot to add, but I thought it worth mentioning
that I just bought and configured a GoDaddy wildcard SSL certificate a
couple weeks ago, and it’s working without any issues. I bought the
low-end ($199/yr) wildcard cert, in case that matters. I’m running
nginx-0.8.29.

Here’s my config:

server {
listen 1.2.3.4:443;
server_name *.domain.com;
ssl on;
ssl_certificate /etc/ssl/certs/any.domain.com.crt;
ssl_certificate_key /etc/ssl/private/any.domain.com.key;

}

From what Firefox says, it almost sounds like GoDaddy gave you a
non-wildcard cert. (I believe all their non-wildcard certs are valid
for both domain.com and www.domain.com.)

Again, this likely isn’t much help other than knowing that someone
else has this working.

Nick

How did you create /etc/ssl/certs/any.domain.com.crt?

Happen to have your openssl commands or whatever you did to generate
your CSR/etc there?

Thanks, I have the same cert type, it’s nice to know it’s working. Not
sure why it isn’t for me.

This article might be of help:
http://nginx.org/en/docs/http/configuring_https_servers.html

On 06.02.2010, at 8:00, Mark M. wrote:

On Fri, Feb 5, 2010 at 8:43 PM, Michael S. [email protected] wrote:

How did you create /etc/ssl/certs/any.domain.com.crt?

Happen to have your openssl commands or whatever you did to generate
your CSR/etc there?

Thanks, I have the same cert type, it’s nice to know it’s working. Not
sure why it isn’t for me.

[…]

Peter.

On Fri, Feb 5, 2010 at 9:00 PM, Mark M. [email protected]
wrote:

What’s the output of
openssl rsa -noout -modulus -in /etc/nginx/certs/domain.org.key
and
openssl x509 -noout -modulus -in /etc/nginx/certs/domain.org.crt

nope - i redid it multiple times, and just did what you said and it
came out a match.

also, nginx would barf if the key didn’t match i believe.

Yeah when connecting I get this:

Verify return code: 19 (self signed certificate in certificate chain)

which is odd; this is the bundle from Godaddy.

www.domain.org and domain.org have no issues, if I view the cert it
shows me “server alternate names” as being both of those - but if I
try any other aliases it won’t work.

Here’s the process I used. I believe it is from an article at
articles.slicehost.com.

create private key with password (password to be removed later)

openssl genrsa -des3 -out any.domain.com.key.with-password 2048

create CSR using key with password and *.domain.com as Common Name

openssl req -new -key any.domain.com.key.with-password -out
any.domain.com.csr

remove password from key

openssl rsa -in any.domain.com.key.with-password -out
any.domain.com.key

purchase cert from GoDaddy

download any.domain.com.crt and gd_bundle.crt

add .part to end of any.domain.com.crt filename

concatenate cert with GoDaddy bundle

cat any.domain.com.crt.part gd_bundle.crt > any.domain.com.crt

copy cert and key to /etc/ssl

cp any.domain.com.crt /etc/ssl/certs/
cp any.domain.com.key /etc/ssl/private/

Hope that helps.

On Fri, Feb 5, 2010 at 8:43 PM, Michael S. [email protected]
wrote:

listen 1.2.3.4:443;

domain.com” now I get an error when trying to start nginx:

openssl genrsa 2048 > domain.org.key

For some fields there will be a default value,

domain.org , www.domain.org
root /home/redirects/web/redirects/domain;
index index.php;
location ~ .php$ {
include /etc/nginx/fastcgi.conf;
fastcgi_pass 127.0.0.1:11030;
}
ssl_certificate /etc/nginx/certs/domain.org.crt;
ssl_certificate_key /etc/nginx/certs/domain.org.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
rewrite ^ /index.php?url=$host last;

That error sounds like it’s trying to use a key that’s not the same
key you generated the csr with.

What’s the output of
openssl rsa -noout -modulus -in /etc/nginx/certs/domain.org.key
and
openssl x509 -noout -modulus -in /etc/nginx/certs/domain.org.crt
?