Hello,

In siteworx, ssl, we can't generate the CSR for a wildcard SSL certificate.

For this kind of certificate you have to set the CN like this :
CN=*.mydomain.com

But if you do this Siteworx complains about a bad CN name

Pascal

Is this 2.1.3 or a 3.0 box? This is a bug in 2.1.3 and has been fixed in 3.0.

unfortunatly it is still a 2.1.3 (we have only one 3.0.1, and it is not our cluster. )

Do you think it is safe now to go to RC4 for a cluster install ?
We have to install this wildcard cert now and I have more and more tickets asking us why pointers/subdomain menu are notre there !!!
I'm always saying it is coming soon, soon, ... but ....

If there is just the doc which is missing and some little bugs, for us the advantages migrating to v3 will be much more important that stay at v2 !

Could you tell me which kind of "little bug" there still is in RC4 ?

About the wildcard, could I perform a degraded solution :
Manually Generate a wildcard CSR like this

1- Create a conf file

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=FR
ST=Idf
L=Paris
O=Carat-Hosting
OU=Carat-Hosting NOC
CN=*.my-domain.com
emailAddress=contact@my-domain.com

[ cert_type ]
nsCertType = server


2- Run

openssl req -config carat.cnf -new -out server.csr


3- Send to the CA this generated CSR

4- Copy in /home/account/var/domain.com/ssl/ the csr, key and crt


Should it work ?

Thanks a ton
Pascal

Yes, manually generating a CSR should work.

Socheat

Could you please provide me here the code iworx use to generate the CSR.

A wildcard certificate cost some money and I wan't to be sure the CSR I generate will allow the cert provide by the CA to work !

Do you have just an example of your CSR generation, or could you please confirm me than the example i gave will work with Apache/iworx

Pascal

We actually use the PHP built in functions:


$key_res = openssl_get_privatekey( $key );
$csr_res = openssl_csr_new( $params, $key_res );

if( $csr_res !== false ) {
openssl_csr_export( $csr_res, $csr );
}


$key is a string containing the contents of the private key file. $params is an array containing the various values needed to create a CSR:

http://us.php.net/manual/en/function.openssl-csr-new.php

Afterwards, $csr should be a string containing the CSR data, and can be written to a file using the usual PHP methods.

Ok thanks

So as you use openssl_get_privatekey it means you have first generated a private key in a file ? right ? how do you generate it ?

Do you generate a key with openssl_pkey_new(); ?

Pascal

$key_res = openssl_pkey_new();
openssl_pkey_export( $key_res, $key );


If you prefer, open a ticket, and I can see if I can quickly patch your box to allow wildcard SSL domains. That might be the safest way.

Ok thanks this code works juts fine



#!/usr/bin/php5-cli -q
<?
$dn = array(
"countryName" => "UK",
"stateOrProvinceName" => "Somerset",
"localityName" => "Glastonbury",
"organizationName" => "The Brain Room Limited",
"organizationalUnitName" => "PHP Documentation Team",
"commonName" => "domain.com",
"emailAddress" => "wez@example.com"
);

// Generate a new private (and public) key pair
$key = openssl_pkey_new();

$key_res = openssl_get_privatekey( $key );
$csr_res = openssl_csr_new( $dn, $key_res );

if( $csr_res !== false ) {
openssl_csr_export( $csr_res, $csr );
openssl_pkey_export( $key_res, $key );
}

echo $key."\n";
echo $csr;

?>


Thanks a ton socheat

$key_res = openssl_pkey_new();
openssl_pkey_export( $key_res, $key );


If you prefer, open a ticket, and I can see if I can quickly patch your box to allow wildcard SSL domains. That might be the safest way.


Well, I just want to be sure to not buy a cert and have pbms after ;)

So if you confirm me that this code is what you do, then I use it, if not and if you have time for this OK to open a ticket. It's up to you ;)

Thanks

Pascal

but as this code

#!/usr/bin/php5-cli
<?
$dn = array(
"countryName" => "UK",
"stateOrProvinceName" => "Somerset",
"localityName" => "Glastonbury",
"organizationName" => "The Brain Room Limited",
"organizationalUnitName" => "PHP Documentation Team",
"commonName" => "domain.com",
"emailAddress" => "wez@example.com"
);

// Generate a new private (and public) key pair
$key = openssl_pkey_new();

$key_res = openssl_get_privatekey( $key );
$csr_res = openssl_csr_new( $dn, $key_res );

if( $csr_res !== false ) {
openssl_csr_export( $csr_res, $csr );
openssl_pkey_export( $key_res, $key );
}

echo $key."\n";
echo $csr;

$outcsr="./carat-hosting.csr";
$outkey="./carat-hosting.priv.key";
if( $csr_res !== false ) {
openssl_csr_export_to_file( $csr_res, $outcsr );
openssl_pkey_export_to_file( $key_res, $outkey );
}


?>



give this and provides two files with the private key and the csr


# ./generate.php
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDnrToo9NmqNirpYypHRMJoZGLJ75thqUF/G+X/0B3+rDhMolPw
qx/iMVGDjoisH1wDvA7BECYoP8qBUEvY3kZiunTqY+An/C7JlSgrOYHIcilgZIFn
AMEhyXFpdW5H4JrauQYPzAfhf1dY0GvFNI/lLqC1MLlqwC0mdX1uEsf18wIDAQAB
AoGBAJSnBvFuohdgKEqWUXNnQCKBfw25S4bvdlIb0YlBvW1Cje FGKvv6oTuej4IN
O87NVFolGYZxWTpsLACrR++AN8I6+Mlin0VYzdmXBML5F9aaXP hGs/lRB7Zl+BtH
6LLX7lU1E4fm2Wu2V+3zKSkiqKvw6zS22TgYAbMNPqxSl5LxAk EA9vQGYA0W9lny
3KgfYusTp1PX/TjWwUYDdrNvY3j+esTBk8oP/9B3Y7avBvJ89myGyzkPmI6BqJIF
+zuxekqS2wJBAPAp75Ey0oljd+8J/zNkmVjank2tK8xqFQExPIsR45AElxtIR02h
QqwbRUnODCzQNg8Ojz7fGuIhr6hvTP9seMkCQQDNEA1LLRNoNY DpoeGOLk3/oCu2
ZcBOdWji5FUWcJ5AK6niouNuNRkuf8APMMR7i9rSXeuJbqxT4g 19dTAGsG4JAkBm
OBMlY9JEc7e6YDDkuO6j6Pjz6r73lDc4eLJiJs0KoUmHbS4cFo UAJ+NH1JFOCZjY
s8O4aNFSajAPqr/E/3AxAkBN0+lGBdIDxrn7ZjmIUwrFTNqTw8s/MquG60ST7uDP
B+/lek46Nq14GdH3Aw2nb5yM5/flsTPOX0UCpQwpq6cH
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE REQUEST-----
MIIB7jCCAVcCAQAwga0xCzAJBgNVBAYTAlVLMREwDwYDVQQIEw hTb21lcnNldDEU
MBIGA1UEBxMLR2xhc3RvbmJ1cnkxHzAdBgNVBAoTFlRoZSBCcm FpbiBSb29tIExp
bWl0ZWQxHzAdBgNVBAsTFlBIUCBEb2N1bWVudGF0aW9uIFRlYW 0xEzARBgNVBAMT
CmRvbWFpbi5jb20xHjAcBgkqhkiG9w0BCQEWD3dlekBleGFtcG xlLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5606KPTZqjYq6WMqR0 TCaGRiye+bYalB
fxvl/9Ad/qw4TKJT8Ksf4jFRg46IrB9cA7wOwRAmKD/KgVBL2N5GYrp06mPgJ/wu
yZUoKzmByHIpYGSBZwDBIclxaXVuR+Ca2rkGD8wH4X9XWNBrxT SP5S6gtTC5asAt
JnV9bhLH9fMCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAC+hHl 14G/LgKXmXPGgL
e51fsUksydoLPR1FF/B/J98agCcinV+P3JUdASjFSwGbytUbEvgfqpF+1UAFmiiQ
1in32lszWFxBTOqFcs5EDefkkygiGYmJnPOb3DNnskyZbFhMuX qQtfAckOIraZOP
blED/opR6nZctMbiO8WJDUKI
-----END CERTIFICATE REQUEST-----




I think it should be fine, no ?

Maybe it is best you pass your time on the last release than on this kind of pbm ;)

Yes, those should be fine. Just make sure to write them to the proper files (domain.com.priv.key and domain.com.csr). I'd also generate a new private key and keep that one a secret, since you just posted the private key here. :)

Ah, I see that you did write them to the correct file names. Nevermind. :)

ha ha ha yes of sure ;)

It was just example !!!

Thanks Socheat I'll use this script to buy the wildcard cert.

Pascal

Just to let you know that


» SSL Data was successfully migrated
There is an SSL certificate installed on the domain: *.carat-hosting.com. You have the following options available:


Thanks again Socheat for your help

Pascal