-2

I added the SSL certificate just bought from comodo using command

cctrlapp xxxx/default addon.add ssl.host --cert certif.crt
         --key certif-nopass.key --chain SecureServerCA-bundle.crt

I do not get any response to my command, after checking

$ cctrlapp xxx/default addon ssl.host

Addon                    : ssl.host   
Settings

SSL_CERT_INCEPTS         : 2013-02-07 00:00:00

SSL_DNS_DOMAIN           : addonssl-depsmgr6bsx-1086693984.eu-west-1.elb.amazonaws.com
SSL_CERT_EXPIRES         : 2014-02-07 23:59:59

After accessing to the https
I have the error
The certificate is valid for the following domains :
  *.cloudcontrolled.com , cloudcontrolled.com  

(Error code : ssl_error_bad_cert_domain)

Why the SSL_DNS_DOMAIN indicates this subdomain name?

I just checked the certicate using command

openssl x509 -in certif.crt -text -noout

and it's a valid 2048 RSA key.

Any ideas? Thanks

Gottlieb Notschnabel
  • 9,408
  • 18
  • 74
  • 116
user2052659
  • 1

1 Answers1

2

I assume you use a custom alias. Then you don't have to change anything when the DNS is updated. You'll already have a CNAME on your subdomain to "whatever.cloudcontrolled.com". Just access your domain with HTTPS, then you'll get your certificate (instead of the *.cloudcontrolled.com one).

By saying "after accessing to the https" you mean you tried to access your own domain with https?

After adding the addon you have to wait for two things:

  • Your personal loadbalancer to be finished booting (this is finished when SSL_DNS_DOMAIN contains a dns-name and not something like "pending").
  • since the IPs for your domain will change you have to wait until the DNS-TTL in this chain is passed. This is about 5 minutes on the cloudcontrol-domain and then depending on your own DNS-configuration for the domain.

I think perhaps you ran into a TTL-issue with your dns-provider or the cloudcontrol-TTL. Or possibly your local DNS-cache, Browser-DNS-cache, provider-DNS-cache, ...

A nice trick (which is currently working but doesn't have to work in the future):

run an dig on your domain.

  • When you get one IP, SSL is finished and should run.
  • When you get more than one IP (now testet, 3) something is wrong with SSL.

you also can specify specific DNS-Servers for the dig-command to bypass the caches (the google-dns-servers are always quite up-to-date).

To your other question: SSL_DNS_DOMAIN only shows you the Amazon Elastic Loadbalancer that was startet and will be managed for you. You don't need this name since when you query "whateverapp.cloudcontrolled.com" with SSL-Addon you get one of the ELB-IPs. So it's just for information and mostly not needed.

Hope this helps :)

Denis Cornehl
  • 4,104
  • 1
  • 20
  • 24