Generating a new CSR

My domain is:
I have 9 domains:
bagpiper.net
bravewaves.com
caulfieldtrio.com
josephgeorgemcdonald.com
joemcdonald.net
pianist-organist.com
ripvanfinn.com
theoktoberators.com
thekingsofsingh.com

I recently removed a domain that was on this list and added josephgeorgemcdonald.com so I need a new csr

I ran this command:

openssl req -new -sha256 -key domain.key -subj "/"
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf
<(printf "\n[SAN]\nsubjectAltName=DNS:bagpiper.net,DNS:www.bagpiper.net,DNS:bravewaves.com,www.bravewaves.com,DNS:caulfieldtrio.com,DNS:www.caulfieldtrio.com,DNS:josephgeorgemcdonald.com,DNS:www.josephgeorgemcdonald.com,DNS:joemcdonald.net,DNS:www.joemcdonald.net,DNS:pianist-organist.com,DNS:www.pianist-organist.com,DNS:ripvanfinn.com,DNS:www.ripvanfinn.com,DNS:theoktoberators.com,DNS:www.theoktoberators.com,DNS:thekingsofsingh.com,DNS:www.thekingsofsingh.com"))

It produced this output:

cat: /etc/ssl/openssl.cnf: No such file or directory
Error Loading request extension section SAN
34359738384:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:crypto/x509v3/v3_alt.c:528:
34359738384:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=DNS:bagpiper.net,DNS:www.bagpiper.net,DNS:bravewaves.com,www.bravewaves.com,DNS:caulfieldtrio.com,DNS:www.caulfieldtrio.com,DNS:josephgeorgemcdonald.com,DNS:www.josephgeorgemcdonald.com,DNS:joemcdonald.net,DNS:www.joemcdonald.net,DNS:pianist-organist.com,DNS:www.pianist-organist.com,DNS:ripvanfinn.com,DNS:www.ripvanfinn.com,DNS:theoktoberators.com,DNS:www.theoktoberators.com,DNS:thekingsofsingh.com,DNS:www.thekingsofsingh.com

My web server is (include version):
GoDaddy

The operating system my web server runs on is (include version):
GoDaddy

My hosting provider, if applicable, is:
GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know):
I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

cPanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

not sure

Thanks!!!

4 Likes

I think you're missing an "DNS:" in there.

3 Likes

Hey Joseph :slightly_smiling_face:

To generate a SAN CSR with OpenSSL, the configuration file needs to be formatted a specific way. Here is the section of CertSage that generates the CSR:

// *** GENERATE CSR ***

$dn = [
  "commonName" => $domainNames[0]
];

$options = [
  "digest_alg" => "sha256",
  "config" => $this->dataDirectory . "/openssl.cnf"
];

$opensslcnf =
  "[req]\n" .
  "distinguished_name = req_distinguished_name\n" .
  "req_extensions = v3_req\n\n" .
  "[req_distinguished_name]\n\n" .
  "[v3_req]\n" .
  "subjectAltName = @san\n\n" .
  "[san]\n";

$i = 0;
foreach ($domainNames as $domainName)
{
  ++$i;
  $opensslcnf .= "DNS.$i = $domainName\n";
}

try
{
  $this->writeFile($this->dataDirectory . "/openssl.cnf",
                   $opensslcnf,
                   0600);

  $csrObject = openssl_csr_new($dn, $certificateKey, $options);

  if ($csrObject === false)
    throw new Exception("generate csr failed");
}
finally
{
  $this->deleteFile($this->dataDirectory . "/openssl.cnf");
}

if (!openssl_csr_export($csrObject, $csr))
  throw new Exception("export csr failed");

As you can see, the domain names are listed one per line in the format DNS.# = domain.

3 Likes

Hi Griffin, thanks for your help again!!
So would this be the right format for example:

DNS.# = bagpiper.net
DNS.# = www.bagpiper.net
DNS.# = bravewaves.com
etc

?
If so where would I insert that exactly?

Thanks again!!

3 Likes

You need to give the OpenSSL command the location of an openssl.cnf file containing something like:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]

[v3_req]
subjectAltName = @san

[san]
DNS.1 = bagpiper.net
DNS.2 = www.bagpiper.net
DNS.3 = bravewaves.com
3 Likes

I would think in your openssl.cnf file.

3 Likes

So by "the location of an openssl.cnf file" do you mean I create that file and then upload it via file manager to something like for example www.bagpiper.net/openssl.cnf ?

2 Likes

The location (path) of openssl.cnf (or whatever name you choose to give the file) needs to be passed to OpenSSL as a parameter. For example, CertSage creates openssl.cnf in ../CertSage then tells OpenSSL (via options->config) to use ../CertSage/openssl.cnf. CertSage then deletes ../CertSage/openssl.cnf right after OpenSSL generates the CSR since ../CertSage/openssl.cnf is no longer needed. In short, the cnf file is just a fancy way of passing parameter information to the OpenSSL command.

Whether you create the cnf file then upload it to wherever you want it or just create it wherever you want it is up to you.

Are you doing all this manually for learning purposes?

3 Likes

Are you doing all this manually for learning purposes?
:grinning:
No, is there an easier way to do this with Certsage?:
I want to add a domain: josephgeorgemcdonald.com
I thought I would need to generate a new CSR

2 Likes

If all of those domain names have the same webroot directory then CertSage can easily acquire the certificate. I don't think that's the case though and therefore multiple certificates would be the route that CertSage would take. Is there a reason you want a large, combined certificate rather than individual certificates that only list domain names that are true aliases (by sharing a common webroot directory)?

3 Likes

I smell a feature request coming for CertSage :face_with_monocle:

4 Likes

IDK.
Maybe FREE certs shouldn't be soooo easy to get - LOL
Make them work for them and get one cert per name.

3 Likes

Hi Jonathan,
I'm almost there. In my browser www.josephgeorgemcdonald.com has https but josephgeorgemcdonald.com does not.

This is the message I got from cPanel:

You have successfully updated the SSL website’s certificate.

The SSL website is now active and accessible via HTTPS on this domain:

josephgeorgemcdonald.com
The SSL website is also accessible via these domains, but the certificate does not support them. Web browsers will show a warning when accessing these domains via HTTPS:
josephgeorgemcdonald.bravewaves.com
mail.josephgeorgemcdonald.com
The SSL certificate also supports this domain, but this domain does not refer to the SSL website mentioned above:
www.josephgeorgemcdonald.com
Click “OK” to reload this page.

3 Likes

Both josephgeorgemcdonald.com and www.josephgeorgemcdonald.com have working SSL.

https://decoder.link/sslchecker/josephgeorgemcdonald.com/443

https://decoder.link/sslchecker/www.josephgeorgemcdonald.com/443

Since mail.josephgeorgemcdonald.com and josephgeorgemcdonald.bravewaves.com are aliases of that same website (they use the same webroot directory), you need to include them in the certificate with josephgeorgemcdonald.com and www.josephgeorgemcdonald.com.

For all of them, you need to enable http to https redirection. See the corresponding section of the CertSage instructions for more details.

2 Likes

That makes absolutely no sense because www.josephgeorgemcdonald.com CNAMEs to josephgeorgemcdonald.com.

3 Likes

Then type it in - LOL
[HTTPS works with both names]
OR
add an HTTPS redirection within the HTTP vhost

I'd start with:
sudo apachectl -t -D DUMP_VHOSTS

3 Likes

Thanks Jonathan, I will study the directions.

3 Likes

Thanks rg305, I will give that a try!

3 Likes

I'm all good now. As usual, I was making life much more difficult than it needed to be. But I learned a few things along the way. Thanks Jonathan and everybody!!

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.