SSL wildcard domains problem

S

simisimis

Verified User
Joined
Mar 26, 2012
Messages
31
Location
Amsterdam
Hello all,

I have a problem understanding ssl certificates. I needed to replace currently owned self signed ssl certificates with the ones from trusted authority. I am working in a university and it has some policies of getting them. I found in a direct admin forum how to generate request:
Code: 
  /usr/bin/openssl genrsa 2048 > /root/private.key
  /usr/bin/openssl req -new -key /root/private.key > /root/private.csr

for cn I used more than one domain e.g.
*.subdomain1.domain.com
*.subdomain2.domain.com
*.subdomain3.domain.com
Please note that I am using wildcards as well, cause different resellers are using different subdomain pool.
then department responsible for ssl certificates signed certificate and sent me two files -
cert-trusted.crt
chain-trusted.crt

I copied a key and crt files to /etc/httpd/conf/ssl.crt/ and /etc/httpd/conf/ssl.key/
I followed one tutorial in this forum copying the content of key and crt files to
/usr/local/directadmin/conf/cacert.pem
/usr/local/directadmin/conf/cakey.pem
i am not sure if I did that correctly but chain crt i copied to
/usr/local/directadmin/conf/carootcert.pem
I edited also /usr/local/directadmin/data/templates/custom/virtual_host2_secure.conf file specifying correct certificates
when I create a user, in a /usr/local/directadmin/data/users/user1/httpd.conf i see ssl section:
Code: 
        SSLEngine on
        SSLCertificateFile /etc/httpd/conf/ssl.crt/cert-trusted.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/cert-trusted.key
        SSLCertificateChainFile /etc/httpd/conf/ssl.crt/chain-trusted.crt
        SSLCACertificateFile /etc/httpd/conf/ssl.crt/cert-trusted.crt
so here is the problem, when I try to access https://subdomain3.domain.com through firefox I am getting "This Connection is Untrusted" warning on which details I am being told -

Code: 
subdomain3.domain.com uses an invalid security certificate.
The certificate is only valid for subdomain1.domain.com
(Error code: ssl_error_bad_cert_domain)

I have been trying to look for how to replace self signed certificates with trusted one which would be used by any site created through DA panel and understand the mechanics of how chain ssl crt works, however unsuccessfully. So I was wondering maybe anybody could give me some tips of how to do it?
Thank you
Simonas
 
From the error, this is not an issue with the Certificate not being trusted; it's an issue with how the CSR is created; you don't just create multiple names in one CN field. I don't know the details but one of the hits found by searching for create csr with multiple common names may help you. If your University has a relationship with a Certificate Vendor, they may be able to help you.

We resell Certificates from several CAs, and I've passed on a request for instructions for creating such CSRs to the CA tech support people. I'll post again if we can help you.

Jeff
 
Thank you for the reply, yes, university buys certificates from some particular company. The thing is that they have a form that I need to fill in, as a cn I used my servers hostname, wildcarded subdomains I specified in comments section of that form and they made a certificate out of my supplied details. And I am pretty sure they created that in a right way. The thing that concerns me - what is the procedure of putting these kind of certificates in proper places and which config files I need to edit, e.g.
I assume that SSLCertificateKeyFile is for the key, SSLCertificateChainFile is for the chain, but
* SSLCertificateFile/SSLCACertificateFile in users httpd.conf should define chain or main certificate?
* should I enable SNI or it's meant to be for different purpose?

basically I am wondering - if you would receive two certificates you need to place and define somewhere, what would be the steps?

I am going to read more about those keywords you provided, maybe they actually did create that in a wrong way, however I am new to ssl things and I would like to get some comments on how in this particular situation I should use those two crt files and a key.
Appreciate your help,

Simonas
 
one more thing to add
I viewed a cert and chain files in terminal with openssl x509
Code: 
# openssl x509 -in certificate.crt -noout -text
<..>
Subject: C=COM, O=university, OU=UNI, CN=hostname.subdomain1.domain.com
<..>

and it displays alternative names correctly, at least what I asked for..
Code: 
X509v3 Subject Alternative Name: 
DNS:hostname.subdomain1.domain.com, 
DNS:*.subdomain2.domain.com, 
DNS:*.subdomain3.domain.com, 
DNS:*.subdomain4.domain.com, 
DNS:*.subdomain1.domain.com

And chain file has only information about the company where university buys trusted crt from.
Maybe chain.crt is not even necessary?
 
I checked with the GlobalSign dedicated reseller support team, and they wrote that Certificates set up this way:
Code: 
*.subdomain1.domain.com
*.subdomain2.domain.com
*.subdomain3.domain.com
are not available. So they can't help with specific setup instructions. Perhaps what you wan't isn't available and you and your University's supplier are miscommunicating.

In any event, this is not a DirectAdmin issue at all, since you're using openssl directly to create the CSR. Did you test your CSR to see if you prepared it correctly? You can do that here (sslshopper.com) (chosen at random from a duckduckgo search).

If you are getting the CSR you need then it's possible the Certification creation process is simplying using the first CN field and ignoring the rest; I've searched and found comments that this may indeed be the case. And again, if you look carefully at the error message; it appears the Certificate is working for the first CN but not others, so this seems to be the answer.

Whether or not the chain.crt is required would depend on your CA; I'm guessing it is, and that it's got nothing to do with the issue; it's merely telling your local systems to trust the Certificate from that CA.

I suggest that if there is an answer, and a way to do what you want, then your CA will need to give you the definitive answer.

Jeff
 
Thank you Jeff for your comments, now I know where to look for problem and who to talk to. Because I created csr only with one cn, and commented about wildcarded subdomains in their form, so they took csr, took aditional subdomains, from the form I filled, and made certificates. I am going to find out that anyway and will comment it here. However it might take time, because of all bureaucracy here :)

BTW I tested csr in the link you provided, it says that everything is correct, but thats a request without subdomains in it, just with a hostname as a cn.
and more, I tried to check certificates for my websites through this site
http://www.digicert.com/help/
and I saw, that the site is using old certificate.
so if I am queering something.subdomain.domain.com I see that it uses old certificate.
if I am queering hostname I see that new certificate is being used.

But then the question what config should I edit and what service to restart to get it fixed..
cause I checked in /usr/local/directadmin/data/users/username/httpd.conf
and the
Code: 
 SSLEngine on
        SSLCertificateFile /etc/httpd/conf/domain.com/new_cert.crt
        SSLCertificateKeyFile /etc/httpd/conf/domain.com/new_cert.key
        SSLCertificateChainFile /etc/httpd/conf/domain.com/chain-new_cert.crt
        SSLCACertificateFile /etc/httpd/conf/domain.com/new_cert.crt

are correct
I checked /etc/httpd/conf/ ssl.crt/ and ssl.key/ directories have server.crt server.key and ca_server.crt, which are copies of my new cert file collection. I also copied them respectively bellow

/usr/local/directadmin/conf/cacert.pem
/usr/local/directadmin/conf/cakey.pem
/usr/local/directadmin/conf/carootcert.pem

any ideas how to make it force using new certificate and which file could be overriding my new settings?
Thank you a lot for staying with me on this.
Regards,
Simonas
 
The way I'd approach this would be to check the apache logs to see which domain is processing the request. Once I've done that I'd look at the domain-specific httpd.conf file to see where it points, and then I'd see if the proper Certificates are installed in the locations specified in that file.

Jeff
 
You must log in or register to reply here.
Back
Top