Impossible to add a wildcard SSL certificate

SiteWorx Bugs
1

Hello,

In siteworx, ssl, we can’t generate the CSR for a wildcard SSL certificate.

For this kind of certificate you have to set the CN like this :
CN=*.mydomain.com

But if you do this Siteworx complains about a bad CN name

Pascal

2

Is this 2.1.3 or a 3.0 box? This is a bug in 2.1.3 and has been fixed in 3.0.

3

unfortunatly it is still a 2.1.3 (we have only one 3.0.1, and it is not our cluster. )

Do you think it is safe now to go to RC4 for a cluster install ?
We have to install this wildcard cert now and I have more and more tickets asking us why pointers/subdomain menu are notre there !!!
I’m always saying it is coming soon, soon, … but …

If there is just the doc which is missing and some little bugs, for us the advantages migrating to v3 will be much more important that stay at v2 !

Could you tell me which kind of “little bug” there still is in RC4 ?

About the wildcard, could I perform a degraded solution :
Manually Generate a wildcard CSR like this

1- Create a conf file

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=FR
ST=Idf
L=Paris
O=Carat-Hosting
OU=Carat-Hosting NOC
CN=*.my-domain.com
emailAddress=contact@my-domain.com

[ cert_type ]
nsCertType = server

2- Run

openssl req -config carat.cnf -new -out server.csr

3- Send to the CA this generated CSR

4- Copy in /home/account/var/domain.com/ssl/ the csr, key and crt

Should it work ?

Thanks a ton
Pascal

4

Yes, manually generating a CSR should work.

5

Socheat

Could you please provide me here the code iworx use to generate the CSR.

A wildcard certificate cost some money and I wan’t to be sure the CSR I generate will allow the cert provide by the CA to work !

Do you have just an example of your CSR generation, or could you please confirm me than the example i gave will work with Apache/iworx

Pascal

6

We actually use the PHP built in functions:


    $key_res = openssl_get_privatekey( $key );
    $csr_res = openssl_csr_new( $params, $key_res );

    if( $csr_res !== false ) {
      openssl_csr_export( $csr_res, $csr );
    }

$key is a string containing the contents of the private key file. $params is an array containing the various values needed to create a CSR:

http://us.php.net/manual/en/function.openssl-csr-new.php

Afterwards, $csr should be a string containing the CSR data, and can be written to a file using the usual PHP methods.

7

Ok thanks

So as you use openssl_get_privatekey it means you have first generated a private key in a file ? right ? how do you generate it ?

Do you generate a key with openssl_pkey_new(); ?

Pascal

8 

$key_res = openssl_pkey_new();
openssl_pkey_export( $key_res, $key );

If you prefer, open a ticket, and I can see if I can quickly patch your box to allow wildcard SSL domains. That might be the safest way.

9

Ok thanks this code works juts fine



#!/usr/bin/php5-cli -q
<?
    $dn = array(
    "countryName" => "UK",
    "stateOrProvinceName" => "Somerset",
    "localityName" => "Glastonbury",
    "organizationName" => "The Brain Room Limited",
    "organizationalUnitName" => "PHP Documentation Team",
    "commonName" => "domain.com",
    "emailAddress" => "wez@example.com"
    );

        // Generate a new private (and public) key pair
        $key = openssl_pkey_new();

    $key_res = openssl_get_privatekey( $key );
    $csr_res = openssl_csr_new( $dn, $key_res );

    if( $csr_res !== false ) {
      openssl_csr_export( $csr_res, $csr );
      openssl_pkey_export( $key_res, $key );
    }

echo $key."
";
echo $csr;

?>

Thanks a ton socheat

10

[QUOTE=IWorx-Socheat;13015]


$key_res = openssl_pkey_new();
openssl_pkey_export( $key_res, $key );

If you prefer, open a ticket, and I can see if I can quickly patch your box to allow wildcard SSL domains. That might be the safest way.[/QUOTE]

Well, I just want to be sure to not buy a cert and have pbms after :wink:

So if you confirm me that this code is what you do, then I use it, if not and if you have time for this OK to open a ticket. It’s up to you :wink:

Thanks

Pascal

11

but as this code


#!/usr/bin/php5-cli
<?
    $dn = array(
    "countryName" => "UK",
    "stateOrProvinceName" => "Somerset",
    "localityName" => "Glastonbury",
    "organizationName" => "The Brain Room Limited",
    "organizationalUnitName" => "PHP Documentation Team",
    "commonName" => "domain.com",
    "emailAddress" => "wez@example.com"
    );

        // Generate a new private (and public) key pair
        $key = openssl_pkey_new();

    $key_res = openssl_get_privatekey( $key );
    $csr_res = openssl_csr_new( $dn, $key_res );

    if( $csr_res !== false ) {
      openssl_csr_export( $csr_res, $csr );
      openssl_pkey_export( $key_res, $key );
    }

echo $key."
";
echo $csr;

$outcsr="./carat-hosting.csr";
$outkey="./carat-hosting.priv.key";
if( $csr_res !== false ) {
      openssl_csr_export_to_file( $csr_res, $outcsr );
      openssl_pkey_export_to_file( $key_res, $outkey );
    }


?>

give this and provides two files with the private key and the csr

./generate.php

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDnrToo9NmqNirpYypHRMJoZGLJ75thqUF/G+X/0B3+rDhMolPw
qx/iMVGDjoisH1wDvA7BECYoP8qBUEvY3kZiunTqY+An/C7JlSgrOYHIcilgZIFn
AMEhyXFpdW5H4JrauQYPzAfhf1dY0GvFNI/lLqC1MLlqwC0mdX1uEsf18wIDAQAB
AoGBAJSnBvFuohdgKEqWUXNnQCKBfw25S4bvdlIb0YlBvW1CjeFGKvv6oTuej4IN
O87NVFolGYZxWTpsLACrR++AN8I6+Mlin0VYzdmXBML5F9aaXPhGs/lRB7Zl+BtH
6LLX7lU1E4fm2Wu2V+3zKSkiqKvw6zS22TgYAbMNPqxSl5LxAkEA9vQGYA0W9lny
3KgfYusTp1PX/TjWwUYDdrNvY3j+esTBk8oP/9B3Y7avBvJ89myGyzkPmI6BqJIF
+zuxekqS2wJBAPAp75Ey0oljd+8J/zNkmVjank2tK8xqFQExPIsR45AElxtIR02h
QqwbRUnODCzQNg8Ojz7fGuIhr6hvTP9seMkCQQDNEA1LLRNoNYDpoeGOLk3/oCu2
ZcBOdWji5FUWcJ5AK6niouNuNRkuf8APMMR7i9rSXeuJbqxT4g19dTAGsG4JAkBm
OBMlY9JEc7e6YDDkuO6j6Pjz6r73lDc4eLJiJs0KoUmHbS4cFoUAJ+NH1JFOCZjY
s8O4aNFSajAPqr/E/3AxAkBN0+lGBdIDxrn7ZjmIUwrFTNqTw8s/MquG60ST7uDP
B+/lek46Nq14GdH3Aw2nb5yM5/flsTPOX0UCpQwpq6cH
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE REQUEST-----
MIIB7jCCAVcCAQAwga0xCzAJBgNVBAYTAlVLMREwDwYDVQQIEwhTb21lcnNldDEU
MBIGA1UEBxMLR2xhc3RvbmJ1cnkxHzAdBgNVBAoTFlRoZSBCcmFpbiBSb29tIExp
bWl0ZWQxHzAdBgNVBAsTFlBIUCBEb2N1bWVudGF0aW9uIFRlYW0xEzARBgNVBAMT
CmRvbWFpbi5jb20xHjAcBgkqhkiG9w0BCQEWD3dlekBleGFtcGxlLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5606KPTZqjYq6WMqR0TCaGRiye+bYalB
fxvl/9Ad/qw4TKJT8Ksf4jFRg46IrB9cA7wOwRAmKD/KgVBL2N5GYrp06mPgJ/wu
yZUoKzmByHIpYGSBZwDBIclxaXVuR+Ca2rkGD8wH4X9XWNBrxTSP5S6gtTC5asAt
JnV9bhLH9fMCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAC+hHl14G/LgKXmXPGgL
e51fsUksydoLPR1FF/B/J98agCcinV+P3JUdASjFSwGbytUbEvgfqpF+1UAFmiiQ
1in32lszWFxBTOqFcs5EDefkkygiGYmJnPOb3DNnskyZbFhMuXqQtfAckOIraZOP
blED/opR6nZctMbiO8WJDUKI
-----END CERTIFICATE REQUEST-----

I think it should be fine, no ?

Maybe it is best you pass your time on the last release than on this kind of pbm :wink:

12

Yes, those should be fine. Just make sure to write them to the proper files (domain.com.priv.key and domain.com.csr). I’d also generate a new private key and keep that one a secret, since you just posted the private key here. :slight_smile:

13

Ah, I see that you did write them to the correct file names. Nevermind. :slight_smile:

14

ha ha ha yes of sure :wink:

It was just example !!!

Thanks Socheat I’ll use this script to buy the wildcard cert.

Pascal

15

Just to let you know that

? SSL Data was successfully migrated
There is an SSL certificate installed on the domain: *.carat-hosting.com. You have the following options available:

Thanks again Socheat for your help

Pascal