Announcement

Collapse
No announcement yet.

Impossible to add a wildcard SSL certificate

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Impossible to add a wildcard SSL certificate

    Hello,

    In siteworx, ssl, we can't generate the CSR for a wildcard SSL certificate.

    For this kind of certificate you have to set the CN like this :
    CN=*.mydomain.com

    But if you do this Siteworx complains about a bad CN name

    Pascal

  • #2
    Is this 2.1.3 or a 3.0 box? This is a bug in 2.1.3 and has been fixed in 3.0.
    Socheat Sou
    InterWorx-CP | http://interworx.com
    InterWorx Control Panel

    Comment


    • #3
      unfortunatly it is still a 2.1.3 (we have only one 3.0.1, and it is not our cluster. )

      Do you think it is safe now to go to RC4 for a cluster install ?
      We have to install this wildcard cert now and I have more and more tickets asking us why pointers/subdomain menu are notre there !!!
      I'm always saying it is coming soon, soon, ... but ....

      If there is just the doc which is missing and some little bugs, for us the advantages migrating to v3 will be much more important that stay at v2 !

      Could you tell me which kind of "little bug" there still is in RC4 ?

      About the wildcard, could I perform a degraded solution :
      Manually Generate a wildcard CSR like this

      1- Create a conf file
      [ req ]
      default_bits = 1024
      encrypt_key = yes
      distinguished_name = req_dn
      x509_extensions = cert_type
      prompt = no

      [ req_dn ]
      C=FR
      ST=Idf
      L=Paris
      O=Carat-Hosting
      OU=Carat-Hosting NOC
      CN=*.my-domain.com
      emailAddress=contact@my-domain.com

      [ cert_type ]
      nsCertType = server
      2- Run
      openssl req -config carat.cnf -new -out server.csr
      3- Send to the CA this generated CSR

      4- Copy in /home/account/var/domain.com/ssl/ the csr, key and crt


      Should it work ?

      Thanks a ton
      Pascal

      Comment


      • #4
        Yes, manually generating a CSR should work.
        Socheat Sou
        InterWorx-CP | http://interworx.com
        InterWorx Control Panel

        Comment


        • #5
          Socheat

          Could you please provide me here the code iworx use to generate the CSR.

          A wildcard certificate cost some money and I wan't to be sure the CSR I generate will allow the cert provide by the CA to work !

          Do you have just an example of your CSR generation, or could you please confirm me than the example i gave will work with Apache/iworx

          Pascal

          Comment


          • #6
            We actually use the PHP built in functions:

            Code:
                $key_res = openssl_get_privatekey( $key );
                $csr_res = openssl_csr_new( $params, $key_res );
            
                if( $csr_res !== false ) {
                  openssl_csr_export( $csr_res, $csr );
                }
            $key is a string containing the contents of the private key file. $params is an array containing the various values needed to create a CSR:

            http://us.php.net/manual/en/function...sl-csr-new.php

            Afterwards, $csr should be a string containing the CSR data, and can be written to a file using the usual PHP methods.
            Socheat Sou
            InterWorx-CP | http://interworx.com
            InterWorx Control Panel

            Comment


            • #7
              Ok thanks

              So as you use openssl_get_privatekey it means you have first generated a private key in a file ? right ? how do you generate it ?

              Do you generate a key with openssl_pkey_new(); ?

              Pascal

              Comment


              • #8
                Code:
                $key_res = openssl_pkey_new();
                openssl_pkey_export( $key_res, $key );
                If you prefer, open a ticket, and I can see if I can quickly patch your box to allow wildcard SSL domains. That might be the safest way.
                Socheat Sou
                InterWorx-CP | http://interworx.com
                InterWorx Control Panel

                Comment


                • #9
                  Ok thanks this code works juts fine

                  PHP Code:

                  #!/usr/bin/php5-cli -q
                  <?
                      $dn = array(
                      "countryName" => "UK",
                      "stateOrProvinceName" => "Somerset",
                      "localityName" => "Glastonbury",
                      "organizationName" => "The Brain Room Limited",
                      "organizationalUnitName" => "PHP Documentation Team",
                      "commonName" => "domain.com",
                      "emailAddress" => "wez@example.com"
                      );

                          // Generate a new private (and public) key pair
                          $key = openssl_pkey_new();

                      $key_res = openssl_get_privatekey( $key );
                      $csr_res = openssl_csr_new( $dn, $key_res );

                      if( $csr_res !== false ) {
                        openssl_csr_export( $csr_res, $csr );
                        openssl_pkey_export( $key_res, $key );
                      }

                  echo $key."\n";
                  echo $csr;

                  ?>
                  Thanks a ton socheat
                  Last edited by pascal; 05-17-2007, 08:54 AM.

                  Comment


                  • #10
                    Originally posted by IWorx-Socheat View Post
                    Code:
                    $key_res = openssl_pkey_new();
                    openssl_pkey_export( $key_res, $key );
                    If you prefer, open a ticket, and I can see if I can quickly patch your box to allow wildcard SSL domains. That might be the safest way.

                    Well, I just want to be sure to not buy a cert and have pbms after ;)

                    So if you confirm me that this code is what you do, then I use it, if not and if you have time for this OK to open a ticket. It's up to you ;)

                    Thanks

                    Pascal

                    Comment


                    • #11
                      but as this code
                      PHP Code:
                      #!/usr/bin/php5-cli
                      <?
                          $dn = array(
                          "countryName" => "UK",
                          "stateOrProvinceName" => "Somerset",
                          "localityName" => "Glastonbury",
                          "organizationName" => "The Brain Room Limited",
                          "organizationalUnitName" => "PHP Documentation Team",
                          "commonName" => "domain.com",
                          "emailAddress" => "wez@example.com"
                          );

                              // Generate a new private (and public) key pair
                              $key = openssl_pkey_new();

                          $key_res = openssl_get_privatekey( $key );
                          $csr_res = openssl_csr_new( $dn, $key_res );

                          if( $csr_res !== false ) {
                            openssl_csr_export( $csr_res, $csr );
                            openssl_pkey_export( $key_res, $key );
                          }

                      echo $key."\n";
                      echo $csr;

                      $outcsr="./carat-hosting.csr";
                      $outkey="./carat-hosting.priv.key";
                      if( $csr_res !== false ) {
                            openssl_csr_export_to_file( $csr_res, $outcsr );
                            openssl_pkey_export_to_file( $key_res, $outkey );
                          }


                      ?>
                      give this and provides two files with the private key and the csr

                      # ./generate.php
                      -----BEGIN RSA PRIVATE KEY-----
                      MIICXQIBAAKBgQDnrToo9NmqNirpYypHRMJoZGLJ75thqUF/G+X/0B3+rDhMolPw
                      qx/iMVGDjoisH1wDvA7BECYoP8qBUEvY3kZiunTqY+An/C7JlSgrOYHIcilgZIFn
                      AMEhyXFpdW5H4JrauQYPzAfhf1dY0GvFNI/lLqC1MLlqwC0mdX1uEsf18wIDAQAB
                      AoGBAJSnBvFuohdgKEqWUXNnQCKBfw25S4bvdlIb0YlBvW1Cje FGKvv6oTuej4IN
                      O87NVFolGYZxWTpsLACrR++AN8I6+Mlin0VYzdmXBML5F9aaXP hGs/lRB7Zl+BtH
                      6LLX7lU1E4fm2Wu2V+3zKSkiqKvw6zS22TgYAbMNPqxSl5LxAk EA9vQGYA0W9lny
                      3KgfYusTp1PX/TjWwUYDdrNvY3j+esTBk8oP/9B3Y7avBvJ89myGyzkPmI6BqJIF
                      +zuxekqS2wJBAPAp75Ey0oljd+8J/zNkmVjank2tK8xqFQExPIsR45AElxtIR02h
                      QqwbRUnODCzQNg8Ojz7fGuIhr6hvTP9seMkCQQDNEA1LLRNoNY DpoeGOLk3/oCu2
                      ZcBOdWji5FUWcJ5AK6niouNuNRkuf8APMMR7i9rSXeuJbqxT4g 19dTAGsG4JAkBm
                      OBMlY9JEc7e6YDDkuO6j6Pjz6r73lDc4eLJiJs0KoUmHbS4cFo UAJ+NH1JFOCZjY
                      s8O4aNFSajAPqr/E/3AxAkBN0+lGBdIDxrn7ZjmIUwrFTNqTw8s/MquG60ST7uDP
                      B+/lek46Nq14GdH3Aw2nb5yM5/flsTPOX0UCpQwpq6cH
                      -----END RSA PRIVATE KEY-----

                      -----BEGIN CERTIFICATE REQUEST-----
                      MIIB7jCCAVcCAQAwga0xCzAJBgNVBAYTAlVLMREwDwYDVQQIEw hTb21lcnNldDEU
                      MBIGA1UEBxMLR2xhc3RvbmJ1cnkxHzAdBgNVBAoTFlRoZSBCcm FpbiBSb29tIExp
                      bWl0ZWQxHzAdBgNVBAsTFlBIUCBEb2N1bWVudGF0aW9uIFRlYW 0xEzARBgNVBAMT
                      CmRvbWFpbi5jb20xHjAcBgkqhkiG9w0BCQEWD3dlekBleGFtcG xlLmNvbTCBnzAN
                      BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5606KPTZqjYq6WMqR0 TCaGRiye+bYalB
                      fxvl/9Ad/qw4TKJT8Ksf4jFRg46IrB9cA7wOwRAmKD/KgVBL2N5GYrp06mPgJ/wu
                      yZUoKzmByHIpYGSBZwDBIclxaXVuR+Ca2rkGD8wH4X9XWNBrxT SP5S6gtTC5asAt
                      JnV9bhLH9fMCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAC+hHl 14G/LgKXmXPGgL
                      e51fsUksydoLPR1FF/B/J98agCcinV+P3JUdASjFSwGbytUbEvgfqpF+1UAFmiiQ
                      1in32lszWFxBTOqFcs5EDefkkygiGYmJnPOb3DNnskyZbFhMuX qQtfAckOIraZOP
                      blED/opR6nZctMbiO8WJDUKI
                      -----END CERTIFICATE REQUEST-----

                      I think it should be fine, no ?

                      Maybe it is best you pass your time on the last release than on this kind of pbm ;)
                      Last edited by pascal; 05-17-2007, 09:05 AM.

                      Comment


                      • #12
                        Yes, those should be fine. Just make sure to write them to the proper files (domain.com.priv.key and domain.com.csr). I'd also generate a new private key and keep that one a secret, since you just posted the private key here. :)
                        Socheat Sou
                        InterWorx-CP | http://interworx.com
                        InterWorx Control Panel

                        Comment


                        • #13
                          Ah, I see that you did write them to the correct file names. Nevermind. :)
                          Socheat Sou
                          InterWorx-CP | http://interworx.com
                          InterWorx Control Panel

                          Comment


                          • #14
                            ha ha ha yes of sure ;)

                            It was just example !!!

                            Thanks Socheat I'll use this script to buy the wildcard cert.

                            Pascal

                            Comment


                            • #15
                              Just to let you know that

                              SSL Data was successfully migrated
                              There is an SSL certificate installed on the domain: *.carat-hosting.com. You have the following options available:
                              Thanks again Socheat for your help

                              Pascal

                              Comment

                              Working...
                              X