RSA certificate configured for SERVER does NOT include an ID which matches the server name

linux apache-2.2 mysql php amazon-ec2

196,061

Solution 1

openssl x509 -in server.crt -noout -subject

Should return the CN the of the certificate. That's the name you have to use in the ServerName directive and to connect to.

Solution 2

I had the same issue but it was because of another reason. I post it here for future googlers:

on my apache2 config file, instead of having <VirtualHost *:443>, I had <VirtualHost *:80>. As soon as I fixed that, the site was back up and running.

Solution 3

I triggered this issue through my /etc/hosts file.

I had a virtualhost, let's call it www.effinwhatever.com

The server's hostname was www2.

I added a line to my /etc/hosts so I could curl stuff against the virtual host:

192.168.1.200         www.effinwhatever.com

As soon as I removed that line from my /etc/hosts, my Apache server started serving up normally again (with a restart of the service). Weird.

It may also be relevant that my SSL cert is for a wildcard domain.

Solution 4

Alternatively, if, like me, you aren't even using ssl, you will still get this error message because using ssl is turned on by default. In that case, turn it off! Here's an excerpt from config.d/ssl.conf:

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
#SSLEngine on
SSLEngine off

View more solutions

196,061

eclipsis

Updated on September 18, 2022

Comments

eclipsis over 1 year

I recently started a LAMP server (all the latest versions) w/ WordPress on it, and I'm trying to install a SSL certificate that I recently purchased. When I restart apachectl, error_log gives me this:

[Tue Feb 25 01:07:14.744222 2014] [mpm_prefork:notice] [pid 1744] AH00169: caught SIGTERM, shutting down
[Tue Feb 25 01:07:17.135704 2014] [suexec:notice] [pid 1765] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Feb 25 01:07:17.217424 2014] [auth_digest:notice] [pid 1766] AH01757: generating secret for digest authentication ...
[Tue Feb 25 01:07:17.218686 2014] [lbmethod_heartbeat:notice] [pid 1766] AH02282: No slotmem from mod_heartmonitor
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib64/php/5.5/modules/mysql.so' - /usr/lib64/php/5.5/modules/mysql.so: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib64/php/5.5/modules/mysqli.so' - /usr/lib64/php/5.5/modules/mysqli.so: cannot open shared object file: No such file or directory in Unknown on line 0
[Tue Feb 25 01:07:17.305292 2014] [mpm_prefork:notice] [pid 1766] AH00163: Apache/2.4.6 (Amazon) OpenSSL/1.0.1e-fips PHP/5.5.7 configured -- resuming normal operations
[Tue Feb 25 01:07:17.305378 2014] [core:notice] [pid 1766] AH00094: Command line: '/usr/sbin/httpd'

While ssl_error_log gives me this:

[Tue Feb 25 00:57:15.802287 2014] [ssl:warn] [pid 1705] AH01909: RSA certificate configured for ec2-XX-XXX-XXX-XX.compute-1.amazonaws.com:443 does NOT include an ID which matches the server name
[Tue Feb 25 00:57:15.899327 2014] [ssl:warn] [pid 1706] AH01909: RSA certificate configured for ec2-XX-XXX-XXX-XX.compute-1.amazonaws.com:443 does NOT include an ID which matches the server name

I changed "ServerName" in ssl.conf to my server's name (dcturano.com) and restarted apachectl, yet this error occurs. Any ideas why?

As an aside, I haven't set the CommonName of the server, could that be the issue?

jmituzas almost 10 years

# openssl x509 -in server.crt -noout -subject Error opening Certificate server.crt 140451499632288:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('server.crt','r') 140451499632288:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate
avivmg about 9 years

@jmituzas, you should change server.crt in openssl x509 -in server.crt -noout -subject to your server.crt placement
dave_thompson_085 over 8 years

Practically all public CAs nowadays issue certs with the SubjectAlternativeName extension, and you can use any or all of the names in that extension (or any name matching a wildcard). OpenSSL doesn't display SAN in isolation, but you can do something like openssl x509 -in cert -text | grep -A1 "Subject Alternative Name"
hugovdberg over 7 years

I rated your answer down because the question explicitly states he bought a certificate. I don't usually buy things I don't intend to use.
hugovdberg over 7 years

Also, make sure you add the ServerName directive and not just set the address of the virtual host (which turned out to be the problem in my case).
Damodar Bashyal over 5 years

That did the trick. Copied CN value localhost from output of sudo openssl x509 -in /etc/ssl/certs/server.crt -noout -subject as ServerName localhost in sudo nano /etc/httpd/conf.d/ssl.conf. I'm using centos 7 in vagrant.