(3 of 4 Signed Multi-domain ssl certificate from godaddy)

This guide goes over setting up an ELB with a multi-domain SSL certificate. The servers attached to the ELB will run multiple Play servers on different ports with an nginx server running in front of them to handle routing based on domain/subdomain names.

I know that is quite a mouthful but here is what I am trying to accomplish….

I want to run more than one Play Server on an ec2 instance. Each Play Server will run on its own port. I want to have a domain name to route to a specific Play server. Ex. www.example.com routes to the Play server running on port 9000 and www2.example.com routes to the Play server running on port 8000. In addition I want all the communication to be secure using ssl certificates.

For an individual server you could simply put a nginx server in front of the Play servers and have the nginx handle routing based on domain name. But, in this case I want to add an AWS ELB (Elastic Load Balancer) in front of several EC2 machines.

Here is what I have found out thus far. The ELB can handle the ssl certificate, but it can only have one certificate per ELB. This forces you to use a multi-domain SSL certificate. Also the ELB cannot port forward based on domain name so you still need an nginx server in front of the Play servers.

I want something like this. The ELB handles the certificate and the nginx server handles the domain name routing.

Create an SSL certificate

On the Ubuntu 12.10 machine run the following to create an ssl certificate

Create a directory to save the ssl files (temporarily)

> cd

> cd ssl

Create the whiteboardcoder server key

> openssl genrsa -des3 -out whiteboardcoder.key 2048

Enter a passphrase. For mine I put TEST as I was going to remove it later anyway

Create the certificate signing request

> openssl req -new -key whiteboardcoder.key -out whiteboardcoder.csr

Enter the passphrase, then enter in your relevant information

It will ask for the passphrase here, enter it in.

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:Colorado

Locality Name (eg, city) []:Superior

Organization Name (eg, company) [Internet Widgits Pty Ltd]:10x13

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:ssl-test.whiteboardcoder.com

Email Address []: myemail@10x13.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

According to https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04 [1]

At this point it’s a good idea to remove the passphrase from the key (as every time you restart your server you will have to reenter this phrase.

> cp whiteboardcoder.key whiteboardcoder.key.BACK

> openssl rsa -in whiteboardcoder.key.BACK -out whiteboardcoder.key

Now to get a signed certificate from godaddy.com

Signed certificate from godaddy.com

For this example I am going to go buy a multi-domain ssl certificate from godaddy.com

Purchasing

Remember this costs real money!

Here are the steps I followed to purchase my own SSL certificates.

Log into your godaddy.com account then select "All Products" And click on SSL & Security

Scroll down and select the "Multiple Domains UCC"

I selected a 1 yr agreement with up to 5 domains and then clicked "add to cart"

Godaddy is always trying to upsell you on something. I added nothing and clicked next

I clicked on the promo code option (there is always some kind of promo code for godaddy.com out there)

I found one for 33% off. Not sure if it will work for you but it was iapwd33m (used 3/28/2013 successfully)

That reduced my costs down to $60.29 for a 1 year certificate. I then clicked on checkout

A login screen popped up (probably just to make sure)

I confirmed my billing information and then clicked on "Place Your Order"

After this I got a confirmation page and an email sent to me.

Obtain the SSL certificate

After logging into you godaddy.com account select "All Products" then SSL c& Security and finally click on "SSL Certificate Management"

Click on "SSL Certificates" to open the ssl certificate tools. Then click on the setup button.

I got this notice about when the certificate will expire. Click Setup.

I then got this SSL certificate added successfully notification.

Close it.

OK, it looks like it disappeared….

Looks like I just had to wait a minute and refresh the page to have it come up.

Click on Launch

This page should come up.

Get Certificate Signing Request

From my ubuntu server I ran this cat command to get the text of the .csr file

> cd

> cd ssl

> cat whiteboardcoder.csr

Select Third party. And paste your csr text into the text box (I am of course blacking mine out.

Click next.

You should see your domain name here. Click next.

Click on Finished

This new screen will come up and you can see that you have 1 request in the pending state.

Now you have to play the waiting game. I waited 16 minutes before I realized I was the hold up… It sent me an email asking that I verify this certificate. It sent an email to the person they found on the whois for the domain.

Clicking the link godaddy.com sent me in my email opened this page, where I clicked on approve.

After this they sent another email out with a link that when clicked on opened the same godaddy ssl tool. I do not think you need to click on this link to keep the process going.

Now we play the waiting game….

10 minutes….

20 minutes….

30 minutes…

If I click on "what's the hold up?"

I get this screen.

Which talks about 2-24 hrs to check the name I guess something about my name looks funny. I hope you do not run into this, but it looks like I get to wait a bit for approval.

In my case it took almost 4 hours to get the certificate approved.

I hope you do not run into the issue I did J