Apache "RSA server certificate CN does not match server name" error
Not sure if apache can read SANs.. This is still on their to do list I guess, that's why it's only a warning that may be safely ignored and I am not sure again if it is fixable. It may depend on your distro. Some say that removing default_host fixes this issue but then again that might be for those without SANs.
Related videos on Youtube
Colin
Updated on September 18, 2022Comments
-
Colin over 1 year
I have an apache installation with some name-based vhosts and a SSL certficate with CN=
maindomain.com
and DNS Alternative Names for the all the vhosts (sub)domains.However, this setup gives warnings in the logs in the form:
[Fri Jan 03 16:52:38 2014] [warn] RSA server certificate CommonName (CN) `maindomain.com' does NOT match server name!? [Fri Jan 03 16:52:38 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
While working, I should say that Name-based SSL vhosts are irrelevant because the certificate is for all vhosts. Furthermore I would say the CN matches the main ServerName. Is there any way to fix this and clear the logs?
Distilled configuration is as follows:
Servername maindomain.com <VirtualHost *:80> ServerName www.maindomain.com DocumentRoot /var/www/www.maindomain.com/public_html/ </VirtualHost> <VirtualHost *:443> ServerName www.maindomain.com Include ssl.vhost.conf DocumentRoot /var/www/www.maindomain.com/public_html/ </VirtualHost> <VirtualHost *:80> ServerName altdomain.com DocumentRoot /var/www/altdomain.com/public_html/ </VirtualHost> <VirtualHost *:443> ServerName altdomain.com Include ssl.vhost.conf DocumentRoot /var/www/altdomain.com/public_html/ </VirtualHost> # More vhosts in the same way, sometimes tld's sometimes subdomains
And
ssl.vhost.conf
as follows:SSLEngine ON SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile /etc/certificates/maindomain.com.crt SSLCertificateKeyFile /etc/certificates/maindomain.com.key SSLCertificateChainFile /etc/certificates/ca-intermediate.crt SSLCACertificateFile /etc/certificates/ca.crt
-
Simon Gates over 10 yearsIs your certificate a wildcard certificate, i.e. with a
CN=*.maindomain.com
in the subject? If not, it looks like it may be for the exact FQDN ‘maindomain.com’, and won't match ‘www.maindomain.com’. You can check the certificate subject withopenssl x509 -text -in /path/to/maindomain.cert | grep Subject:
-
Colin over 10 yearsIt is a wildcard certificate but its CN is maindomain.com (.maindomain.com in the alternative names), but the same errors are there when the CN=.maindomain.com (because the servername is www.maindomain.com)
-
-
paperclip over 9 yearsThis has been my experience. We've safely ignored the warning messages. It seems Apache is trying to be helpful by alerting you to the fact that it detected the certificates CommonName doesn't match the ServerName set in the VirtualHost block.