RSA certificate configured for SERVER does NOT include an ID which matches the server name
Solution 1
openssl x509 -in server.crt -noout -subject
Should return the CN the of the certificate. That's the name you have to use in the ServerName directive and to connect to.
Solution 2
I had the same issue but it was because of another reason. I post it here for future googlers:
on my apache2 config file, instead of having <VirtualHost *:443>
, I had <VirtualHost *:80>
. As soon as I fixed that, the site was back up and running.
Solution 3
I triggered this issue through my /etc/hosts
file.
I had a virtualhost, let's call it www.effinwhatever.com
The server's hostname was www2.
I added a line to my /etc/hosts
so I could curl stuff against the virtual host:
192.168.1.200 www.effinwhatever.com
As soon as I removed that line from my /etc/hosts
, my Apache server started serving up normally again (with a restart of the service). Weird.
It may also be relevant that my SSL cert is for a wildcard domain.
Solution 4
Alternatively, if, like me, you aren't even using ssl, you will still get this error message because using ssl is turned on by default. In that case, turn it off! Here's an excerpt from config.d/ssl.conf
:
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
#SSLEngine on
SSLEngine off
Related videos on Youtube
eclipsis
Updated on September 18, 2022Comments
-
eclipsis over 1 year
I recently started a LAMP server (all the latest versions) w/ WordPress on it, and I'm trying to install a SSL certificate that I recently purchased. When I restart
apachectl
, error_log gives me this:[Tue Feb 25 01:07:14.744222 2014] [mpm_prefork:notice] [pid 1744] AH00169: caught SIGTERM, shutting down [Tue Feb 25 01:07:17.135704 2014] [suexec:notice] [pid 1765] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Feb 25 01:07:17.217424 2014] [auth_digest:notice] [pid 1766] AH01757: generating secret for digest authentication ... [Tue Feb 25 01:07:17.218686 2014] [lbmethod_heartbeat:notice] [pid 1766] AH02282: No slotmem from mod_heartmonitor PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/5.5/modules/mysql.so' - /usr/lib64/php/5.5/modules/mysql.so: cannot open shared object file: No such file or directory in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/5.5/modules/mysqli.so' - /usr/lib64/php/5.5/modules/mysqli.so: cannot open shared object file: No such file or directory in Unknown on line 0 [Tue Feb 25 01:07:17.305292 2014] [mpm_prefork:notice] [pid 1766] AH00163: Apache/2.4.6 (Amazon) OpenSSL/1.0.1e-fips PHP/5.5.7 configured -- resuming normal operations [Tue Feb 25 01:07:17.305378 2014] [core:notice] [pid 1766] AH00094: Command line: '/usr/sbin/httpd'
While ssl_error_log gives me this:
[Tue Feb 25 00:57:15.802287 2014] [ssl:warn] [pid 1705] AH01909: RSA certificate configured for ec2-XX-XXX-XXX-XX.compute-1.amazonaws.com:443 does NOT include an ID which matches the server name [Tue Feb 25 00:57:15.899327 2014] [ssl:warn] [pid 1706] AH01909: RSA certificate configured for ec2-XX-XXX-XXX-XX.compute-1.amazonaws.com:443 does NOT include an ID which matches the server name
I changed "ServerName" in
ssl.conf
to my server's name (dcturano.com) and restartedapachectl
, yet this error occurs. Any ideas why?As an aside, I haven't set the CommonName of the server, could that be the issue?
-
jmituzas almost 10 years# openssl x509 -in server.crt -noout -subject Error opening Certificate server.crt 140451499632288:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('server.crt','r') 140451499632288:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate
-
avivmg about 9 years@jmituzas, you should change
server.crt
inopenssl x509 -in server.crt -noout -subject
to your server.crt placement -
dave_thompson_085 over 8 yearsPractically all public CAs nowadays issue certs with the SubjectAlternativeName extension, and you can use any or all of the names in that extension (or any name matching a wildcard). OpenSSL doesn't display SAN in isolation, but you can do something like
openssl x509 -in cert -text | grep -A1 "Subject Alternative Name"
-
hugovdberg over 7 yearsI rated your answer down because the question explicitly states he bought a certificate. I don't usually buy things I don't intend to use.
-
hugovdberg over 7 yearsAlso, make sure you add the ServerName directive and not just set the address of the virtual host (which turned out to be the problem in my case).
-
Damodar Bashyal over 5 yearsThat did the trick. Copied CN value
localhost
from output ofsudo openssl x509 -in /etc/ssl/certs/server.crt -noout -subject
asServerName localhost
insudo nano /etc/httpd/conf.d/ssl.conf
. I'm using centos 7 in vagrant.