You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Joe Hansen <jo...@gmail.com> on 2011/06/06 19:19:34 UTC
[users@httpd] RSA server certificate CommonName (CN) 'localhost.localdomain' does
NOT match server name!?
Hi there,
I see the following error messages in the ssl_error_log file when I
restart Apache:
RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?
RSA server certificate CommonName (CN) 'localhost.localdomain' does
NOT match server name!?
I appreciate any pointers to solve this issue. Thank you!
Regards,
Shashi
More details:
Environment: Apache 2.2.3-45, Tomcat 6, CentOS 5.5 64-bit
/* httpd.conf */
Include conf/extra/httpd-vhosts.conf
Include conf/extra/httpd-default.conf
Include conf/extra/httpd-ssl.conf
/* httpd-vhosts.conf */
<VirtualHost *:80>
ServerAdmin joe@xyz.com
ServerName www.xyz.com
ServerAlias xyz.com
ErrorLog "logs/ajp.error.log"
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
</VirtualHost>
/* httpd-ssl.conf */
NameVirtualHost *:443
<VirtualHost *:443>
ServerName www.xyz.com
ServerAdmin joe@xyz.com
ErrorLog "/etc/httpd/logs/error_log"
TransferLog "/etc/httpd/logs/ssl_access_log"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/xyzssl/xyz.com.crt"
SSLCertificateKeyFile "/usr/local/xyzssl/xyz.key"
SSLCertificateChainFile "/usr/local/xyzssl/gd_bundle.crt"
CustomLog "/etc/httpd/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
</VirtualHost>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RSA server certificate CommonName (CN) 'localhost.localdomain'
does NOT match server name!?
Posted by Mark Montague <ma...@catseye.org>.
On June 6, 2011 13:19 , Joe Hansen <jo...@gmail.com> wrote:
> I see the following error messages in the ssl_error_log file when I
> restart Apache:
> RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?
This means that the certificate in the file specified by the
SSLCertificateFile directive (/usr/local/xyzssl/xyz.com.crt) is meant to
be used to sign other certificates, instead of being meant to be used
with a server. While it is possible to use such a certificate with a
server, it is a bad idea since if the certificate and private key are
stolen (for example, if your web server is attacked and compromised)
then the attacker will be able to use these to sign their own
certificates under your identity.
The problem may be that you just installed the wrong certificate by
mistake: the certificate for the Certification Authority, instead of
the certificate you generated for the server. In this case, simply
install the correct certificate.
The problem may be that you generated a certificate for the
Certification Authority, but did not generate one for the server. In
this case, move the CA certificate and CA private key to a secure
location that cannot be accessed by Apache (ideally, these would be on a
different machine that your web server). You will then need to generate
a private key and CSR for your web server (this should be done on your
web server machine), and then use the CA certificate and private key to
sign the web server CSR, generating a certificate for your web server.
Then install the certificate for your web server on your web server in
the correct location.
Or, the problem may be that you did not intend to have your own
Certification Authority and instead wanted to generate a self-signed
certificate for use with your web server. In this case, the problem is
that the self-signed certificate you generated has the CA flag set. The
solution is to create a new self-signed certificate but to ensure that
the CA flag is not set.
If you are unsure, then you probably do not want to have your own
Certification Authority. In this case, either use a commercial SSL
certificate or a self-signed SSL certificate.
> RSA server certificate CommonName (CN) 'localhost.localdomain' does
> NOT match server name!?
Every certificate has a name that describes what the certificate applies
to. Web browsers will check the name in the certificate against the
server name in the URL the user is accessing to see if they match; if
they do not match, the web browser will warn the user that they might be
visiting a fraudulent site. In this case, you generated a certificate
with a common name (CN) of localhost.localdomain, which would only be
correct if users accessed your site via the URL
https://localhost.localdomain/
The solution is to re-generate the certificate with a common name (CN)
that matches the name of the site. For example, if your web server
configuration contains the directive "ServerName www.example.com", then
you should generate a certificate with the CN www.example.com.
I hope this helps. If you have additional questions, or if the answers
above are not clear, please ask.
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org