> http://example.co - works fine and as expected.
> http://blah.example.co - returns curl: (60) SSL certificate problem:
> Invalid certificate chain

> This is actually picking up the SSL cert for the default site on the
> server.
> So the server_name is picking up example.co but *.example.co seems to be
> ignored.

So are there 2 certificates?
If so you need a different server block for each - one for the exact domain
and one for the wildcard (or use the wildcard for both).

Besides server_name .example.co and server_name example.co, *.example.co are
generally the same (the latter actually being recommended
http://nginx.org/en/docs/http/server_names.html#optimization )

The only difference would be if you have multiple server {} definitions
(with same domains) because nginx has an order of precedence in which it
decides which virtual server will be chosen (regular expressions (which is
also .example.co) will be last).

In general you should check (for example with 'openssl x509 -in
/path/example.co.crt -noout -text | grep DNS') and see if your nginx
server{} block configuration actually matches the certificates (and keys)
you point to.

It makes a bit hard to guess not seing the whole config.



One note when testing with curl - on older systems the root certificates are
not always updated and if the CA has _recently_ changed its intermediate
certificates (iirc for example GoDaddy) curl might report a problem.

Also be sure that the intermediate certificates are included in the
certificate itself (
http://nginx.org/en/docs/http/configuring_https_servers.html#chains )



> we also need *.staging.example.co to work for our staging environment too
> which
might kill two birds with one stone.

Standard wildcard certificate *.example.co covers also this, you don't need
additional certificates.



p.s. A good/simple way imo (if the server has public access) to check for
all kinds of issues/ssl chains etc is to use
https://www.ssllabs.com/ssltest/ (check the "do not show" if you want hidden
results).

rr

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx