RapidSSL: domain name does not match the certificate common name or SAN

ssl amazon-web-services load-balancing certificate

7,290

Solution 1

First: Please don't delete your localhost.crt. If you do, you wont be able to re-start your server and your web page will be offline. If by any chance you do, you have to re-generate a new localhost.crt file from your private key using the following command:

openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/localhost.key > /etc/pki/tls/certs/localhost.crt

Second: If you completed the process of creating a certifcate with your load balancers, you don't need to use AWS IAM or change your ssl.conf file. The step missing is to change your Domain Record Set. If your domain is hosted in AWS, go to Route 53 in the EC2 Management Console and create a record set. It must be a Type A record (not a CNAME), with an alias pointing to your Amazon Load Balancer (check your address in the tab DNS in the panel). The address should be something like:

9999999999.eu-west-1.elb.amazonaws.com

Solution 2

The hostname used in the SubjectCN (optional, but common) and at least one entry in the SubjectAN (mandatory) needs to match the name by which you reference the VirtualHost (whether you gen the VirtualHost by Name (using SNI) or by IP). Additionally, you should have this hostname genned as either the main hostname or an alias in your /etc/hosts. Note, this needs to be the FQDN, as the match must be exact[1].

If the certificate is issued for "app.domain.com", you must have your application listening to and responding to requests for "app.domain.com". For testing purposes, you would benefit to change the hostname as seen by the OS to "app.domain.com" (using the hostname command and setting the "HOSTNAME" param in the "/etc/hostname" file).

1: Note, most Certifying Authorities will not issue a certificate for an unqualified hostname, as they have no way to ensure that the hostname for which they are vouching and staking their relationship truly belongs to the person or organization requesting it without the domain component

7,290

Diego Sarmiento

Skilled professional with more than +10 years of experience in the finance, health care and hospitality industry. Highly developed skills on Software Architecture (Angular) to support high-performance and scalable products. Focus on agile methodologies with small and medium size teams, pixel-perfect development, responsive design and easy-to-maintain Front-End development. Excellent team player with demonstrated experience as a leader. Active collaborator with all levels of staff and management to exceed customer expectations and revenue goals. Passionate about product development and constant innovation. Entrepreneurial spirit and heavy international experience with enterprise projects, startups and multi-cultural teams. Specialties: Angular 8+, Automation (Protractor), Unit Tests (Karma), Front-End Architecture, Node, Jenkins, Splunk, UX Design, rapid prototyping

Updated on September 18, 2022

Comments

Diego Sarmiento over 1 year
I'm installing SSL certifcate (RapidSSL) on Amazon AWS (Load balancer).

Installation was already completed, but when I test it I get:
```
Wrong certificate installed.
The domain name does not match the certificate common name or SAN.

Certificate information
Common name: ip-172-XX-XX-XXX
SAN:
```
My SSL certificate is only for https://app.domain.com, so SSL certificate was made for app.domain.com

Edit: After some test I get:
```
The certificate is self-signed. Users will receive a warning when accessing         
this site unless the certificate is manually added as a trusted certificate to  
their web browser. You can fix this error by buying a trusted SSL certificate

None of the common names in the certificate match the name that was entered         
(app.domain.com). You may receive an error when accessing this site in a web    
browser. Learn more about name mismatch errors.
Common name: ip-172-XX-XX-XXX
Organization: SomeOrganization
Location: SomeCity, SomeState, --
Valid from July 23, 2014 to July 23, 2015
Serial Number: 218621 (0x5566)
Signature Algorithm: sha256WithRSAEncrypt
Issuer: ip-172-XX-XX-XXX
```
Edit2: Checking the server I found:

In folder /ssl/certs
```
localhost.crt //this is the one giving me trouble
ca-bundle.crt
ca-bundle.trust.crt
```
Should I delete localhost.crt?

Thanks
- Diego Sarmiento over 9 years
  
  @HåkanLindqvist I checked it with different tools. The common message is "None of the common names in the certificate match the name that was entered (app.domain.com). You may receive an error when accessing this site in a web browser"
- Håkan Lindqvist over 9 years
  
  I did not suggest checking with different tools but verifying that you are actually using the certificate you have purchased. You say that you have purchased a certificate for "app.domain.com" but also that the certificate you are using is for "ip-172-XX-XX-XXX"; that does not sound like it's the same certificate.
- Andrew Domaszek over 9 years
  
  Agree with @HåkanLindqvist, it sounds like you are still using an auto-generated, self-signed certificate. The CN value of your certificate should say "app.domain.com".
- Diego Sarmiento over 9 years
  
  @AndrewDomaszek if that's the case, What would you recommend to fix it?