0

I have several related services on different first level subdomains of one domain. The goal is enable https in all of them.

So I've bought a wildcard SSL certificate from GoDaddy for my domain: *.domain.com.

Than I made a key like stated here: http://blog.dynamic50.com/2011/02/15/ssl-on-wildcard-domains-on-heroku-using-godaddy/

Next thing I've updated two of services: one of them is a standalone Ruby app (goliath), hosted on Rackspace, and the second is hosted on Heroku. Standalone one is working ok (certificate is valid, but Chrome says it cannot check if it's revoked), but on the Heroku app browser says "panic, certificate is revoked, go away". Both apps use same crt and key files. Where can be the problem?

here is CURL output for the services (there is a difference in last lines):

1. standalone

* SSLv3, TLS handshake, Client hello (1):
...
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
*    subject: O=*.mydomain.com; OU=Domain Control Validated; CN=*.mydomain.com
*    start date: 2012-05-17 12:37:43 GMT
*    expire date: 2012-08-02 12:34:51 GMT
*    subjectAltName: standaloneservice.mydomain.com matched
*    issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certificates.godaddy.com/repository; CN=Go Daddy Secure Certification Authority; serialNumber=07969287
*    SSL certificate verify ok.

2. heroku

* SSLv3, TLS handshake, Client hello (1):
...
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
*    subject: O=*.mydomain.com; OU=Domain Control Validated; CN=*.mydomain.com
*    start date: 2011-08-02 12:34:51 GMT
*    expire date: 2012-08-02 12:34:51 GMT
*    subjectAltName: herokuservice.mydomain.com matched
*    issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certificates.godaddy.com/repository; CN=Go Daddy Secure Certification Authority; serialNumber=07969287
*    SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.

Any advices and debugging tips are most welcome.

Thanks!

Alexander
  • 111
  • 3

1 Answers1

2

There's a different start date for certificate validity between the two certificates, so you aren't using the same one for both.

I'm betting that you had GoDaddy re-issue the wildcard certificate today (which is the one installed in the standalone service - it has a partial year of validity instead of a full year) and the one on the Heroku service was revoked in the process.

Verify with openssl s_client -connect server:port -showcerts - the two certificates have the same serial number, but they'll have a different thumbprint. You'll need to make sure you get the new certificate into the location that Heroku wants it in, then restart the service so that it loads the new file.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248