Wildcard SSLs on Apache2

Jonathan Lloyd webmaster at lifegames.org
Fri Aug 10 17:08:17 BST 2007

Oh wise and powerful PMs, shed your certificate wisdom upon me!

We have just recently applied some domain names to our dedicated servers
(because users don't like typing IP addresses) and we decided to
purchase a wildcard
certificate.  (See https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=9039 for
more details.)  This certificate should allow all subdomains of our domain
name to process secure transactions.

Now that we have our domain name (i.e. example.com), we have setup the A
records to point different subdomains to our different physical boxes.  (i.e.
foo.example.com =>, bar.example.com =>  My
question is, how do we configure the httpd.conf on Apache2 to use this
wildcard certificate? (which we have installed on all of our dedicated
servers).  Our current configuration is as follows:

ServerName foo.example.com
<< some other stuff that's not important >>

LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>

ServerName foo.example.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite <<some stuff here>>
SSLCertificateFile /etc/httpd/ssl/_.example.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/example.com.key
SSLCertificateChainFile /etc/httpd/ssl/sf_intermediate_bundle.crt

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


Under the current configuration, we get the following error message:
[Fri Aug 10 09:04:03 2007] [warn] RSA server certificate CommonName (CN)
`*.example.com' does NOT match server name!?

Any advice would be greatly appreciated.  Thanks!
-- Jonathan Lloyd

More information about the london.pm mailing list