Apache SSL: server cert does not include ID which matches server name
up vote
13
down vote
favorite
I'm trying to set up SSL on my apache2 webserver, but it seems that it does not work at all.
I have followed a tutorial to create cert files with openssl and configured the /etc/apache2/sites-available/default-ssl.conf properly.
Every time I try to open my website with https, my browser refuse to connect due to security issues. It says that I haven't configured my website correctly.
In my /var/log/apache2/error.log I'm getting warnings, which say that my server certificate does not include an ID which matches the server name.
[Mon Apr 10 11:03:24.041813 2017] [mpm_prefork:notice] [pid 1222] AH00169: caught SIGTERM, shutting down
[Mon Apr 10 11:03:30.566578 2017] [ssl:warn] [pid 661] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Apr 10 11:03:31.579088 2017] [ssl:warn] [pid 1194] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Apr 10 11:03:31.592958 2017] [mpm_prefork:notice] [pid 1194] AH00163: Apache/2.4.25 (Raspbian) OpenSSL/1.0.2k configured -- resuming normal operations
[Mon Apr 10 11:03:31.593136 2017] [core:notice] [pid 1194] AH00094: Command line: '/usr/sbin/apache2'
Do you have any ideas on how to solve this? Thanks in regard!
apache-httpd openssl webserver ssl https
asked Apr 10 '17 at 11:21
pixelmusic
111118
add a comment |
up vote
13
down vote
favorite
I'm trying to set up SSL on my apache2 webserver, but it seems that it does not work at all.
I have followed a tutorial to create cert files with openssl and configured the /etc/apache2/sites-available/default-ssl.conf properly.
Every time I try to open my website with https, my browser refuse to connect due to security issues. It says that I haven't configured my website correctly.
In my /var/log/apache2/error.log I'm getting warnings, which say that my server certificate does not include an ID which matches the server name.
[Mon Apr 10 11:03:24.041813 2017] [mpm_prefork:notice] [pid 1222] AH00169: caught SIGTERM, shutting down
[Mon Apr 10 11:03:30.566578 2017] [ssl:warn] [pid 661] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Apr 10 11:03:31.579088 2017] [ssl:warn] [pid 1194] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Apr 10 11:03:31.592958 2017] [mpm_prefork:notice] [pid 1194] AH00163: Apache/2.4.25 (Raspbian) OpenSSL/1.0.2k configured -- resuming normal operations
[Mon Apr 10 11:03:31.593136 2017] [core:notice] [pid 1194] AH00094: Command line: '/usr/sbin/apache2'
Do you have any ideas on how to solve this? Thanks in regard!
apache-httpd openssl webserver ssl https
asked Apr 10 '17 at 11:21
pixelmusic
111118
Were you using Apache 2.2 or 2.4? I upgraded from 2.2 to 2.4 and getting this error. In my case it's not a public server, it's an internal one, so I'm guessing self-signed certificate will do.
– svhyd
Oct 26 '17 at 18:49
I was using Apache 2.2 on my public server (Debian 8) when I got this error. After switching to Let's Encript the error was gone so I guess it was the self-signed certificate that caused the error.
– pixelmusic
Nov 1 '17 at 7:24
add a comment |
up vote
13
down vote
favorite
up vote
13
down vote
favorite
I'm trying to set up SSL on my apache2 webserver, but it seems that it does not work at all.
I have followed a tutorial to create cert files with openssl and configured the /etc/apache2/sites-available/default-ssl.conf properly.
Every time I try to open my website with https, my browser refuse to connect due to security issues. It says that I haven't configured my website correctly.
In my /var/log/apache2/error.log I'm getting warnings, which say that my server certificate does not include an ID which matches the server name.
[Mon Apr 10 11:03:24.041813 2017] [mpm_prefork:notice] [pid 1222] AH00169: caught SIGTERM, shutting down
[Mon Apr 10 11:03:30.566578 2017] [ssl:warn] [pid 661] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Apr 10 11:03:31.579088 2017] [ssl:warn] [pid 1194] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Apr 10 11:03:31.592958 2017] [mpm_prefork:notice] [pid 1194] AH00163: Apache/2.4.25 (Raspbian) OpenSSL/1.0.2k configured -- resuming normal operations
[Mon Apr 10 11:03:31.593136 2017] [core:notice] [pid 1194] AH00094: Command line: '/usr/sbin/apache2'
Do you have any ideas on how to solve this? Thanks in regard!
apache-httpd openssl webserver ssl https
asked Apr 10 '17 at 11:21
pixelmusic
111118
I'm trying to set up SSL on my apache2 webserver, but it seems that it does not work at all.
I have followed a tutorial to create cert files with openssl and configured the /etc/apache2/sites-available/default-ssl.conf properly.
Every time I try to open my website with https, my browser refuse to connect due to security issues. It says that I haven't configured my website correctly.
In my /var/log/apache2/error.log I'm getting warnings, which say that my server certificate does not include an ID which matches the server name.
[Mon Apr 10 11:03:24.041813 2017] [mpm_prefork:notice] [pid 1222] AH00169: caught SIGTERM, shutting down
[Mon Apr 10 11:03:30.566578 2017] [ssl:warn] [pid 661] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Apr 10 11:03:31.579088 2017] [ssl:warn] [pid 1194] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Mon Apr 10 11:03:31.592958 2017] [mpm_prefork:notice] [pid 1194] AH00163: Apache/2.4.25 (Raspbian) OpenSSL/1.0.2k configured -- resuming normal operations
[Mon Apr 10 11:03:31.593136 2017] [core:notice] [pid 1194] AH00094: Command line: '/usr/sbin/apache2'
Do you have any ideas on how to solve this? Thanks in regard!
apache-httpd openssl webserver ssl https
apache-httpd openssl webserver ssl https
asked Apr 10 '17 at 11:21
pixelmusic
111118
asked Apr 10 '17 at 11:21
pixelmusic
111118
edited Apr 10 '17 at 13:03
asked Apr 10 '17 at 11:21
pixelmusic
111118
asked Apr 10 '17 at 11:21
pixelmusic
111118
asked Apr 10 '17 at 11:21
pixelmusic
111118
111118
Were you using Apache 2.2 or 2.4? I upgraded from 2.2 to 2.4 and getting this error. In my case it's not a public server, it's an internal one, so I'm guessing self-signed certificate will do.
– svhyd
Oct 26 '17 at 18:49
I was using Apache 2.2 on my public server (Debian 8) when I got this error. After switching to Let's Encript the error was gone so I guess it was the self-signed certificate that caused the error.
– pixelmusic
Nov 1 '17 at 7:24
add a comment |
Were you using Apache 2.2 or 2.4? I upgraded from 2.2 to 2.4 and getting this error. In my case it's not a public server, it's an internal one, so I'm guessing self-signed certificate will do.
– svhyd
Oct 26 '17 at 18:49
I was using Apache 2.2 on my public server (Debian 8) when I got this error. After switching to Let's Encript the error was gone so I guess it was the self-signed certificate that caused the error.
– pixelmusic
Nov 1 '17 at 7:24
Were you using Apache 2.2 or 2.4? I upgraded from 2.2 to 2.4 and getting this error. In my case it's not a public server, it's an internal one, so I'm guessing self-signed certificate will do.
– svhyd
Oct 26 '17 at 18:49
Were you using Apache 2.2 or 2.4? I upgraded from 2.2 to 2.4 and getting this error. In my case it's not a public server, it's an internal one, so I'm guessing self-signed certificate will do.
– svhyd
Oct 26 '17 at 18:49
I was using Apache 2.2 on my public server (Debian 8) when I got this error. After switching to Let's Encript the error was gone so I guess it was the self-signed certificate that caused the error.
– pixelmusic
Nov 1 '17 at 7:24
I was using Apache 2.2 on my public server (Debian 8) when I got this error. After switching to Let's Encript the error was gone so I guess it was the self-signed certificate that caused the error.
– pixelmusic
Nov 1 '17 at 7:24
add a comment |
5 Answers
5
active
oldest
votes
up vote
3
down vote
accepted
Okay, I noticed that this post is viewed quite often recently and so it seems that a lot of people are facing the same issue that I did. If so then this might help you.
I have followed a simple step-by-step tutorial to create a SSL-certification for my webserver. Like so many tutorials out there the outcome of the tutorial I followed was a self-signed certificate using OpenSSL. Yep self-signed, that was the problem. The browser could not trust the server due to it's certificate which is signed by itself. Well I wouldn't do either...
A certificate has to be signed by an external trustworthy certificate authority (CA). So I stumbled upon Let's Encrypt which does all the work for you and is even easier to set up and the best is: it is absolutely free.
Installation
1) Delete your old ssl cert files which you have created by using OpenSSL
2) Open backports to get certbot client on Debian. You should know that this will open a hole for unfinished software! Install only the packages when you are aware about what you are doing.
echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/backports.list
3) Update your linux system
sudo apt-get update
4) Install certbot
sudo apt-get install python-certbot-apache -t jessie-backports
5) Set up apache ServerName and ServerAlias
sudo nano /etc/apache2/sites-available/000-default.conf
6) Edit apache config file
<VirtualHost *:80>
. . .
ServerName example.com
ServerAlias www.example.com
. . .
</VirtualHost>
7) Check for a correct syntax
sudo apache2ctl configtest
8) If the config file looks fine, restart apache server
sudo systemctl restart apache2
9) Set up a certificate using certbot and follow the instruction on screen.
sudo certbot --apache
Renewal
All certificates by Let's Encrypt are valid through 3 months. To renew the you can manually run
sudo certbot renew
Or automate this service as a cron job
sudo crontab -e
and enter the following row to invoke a renewal every Monday at 2:30 am.
. . .
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
I hope this or one of the other great answers will help you out. As for me this was the solution that worked for me. You can follow a more detailled tutorial here: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8
answered Jul 3 '17 at 8:40
pixelmusic
111118
add a comment |
up vote
2
down vote
If you are seeing no other SSL errors,
and if you have tried setting 'LogLevel debug' in the httpd.conf file,
this error message can also suggest 'Listen 443' is missing from the httpd.conf file.
answered Oct 4 '17 at 19:57
BenjaminBrink
211
i totally forget to make Apache listen to 443 it was only listening to 80 thanks
– Robert
Apr 2 at 21:21
add a comment |
up vote
0
down vote
Those are not errors - they are warnings. It is quite possible to run mod_ssl with a certificate which doesn't match the defined server names as long as you have a default ssl host defined and the common name on the certificate matches the host name used by clients to connect.
The latter does not appear to be true in your case. As Jacob says, you need to specify the correct host name as the common name (or an alias) when you create a CSR.
To see what name(s) are currently on the certificate:
openssl s_client -showcerts -connect ${HOSTNAME}:443
If there are multiple certificates installed on the machine and served on the same IP address, then:
openssl s_client -showcerts -connect ${HOSTIP}:443 -servername ${HOSTNAME}
(where the ${...} values are placeholders you should replace with the relevant values).
answered Apr 10 '17 at 12:20
symcbean
2,26411121
add a comment |
up vote
0
down vote
I ran into this problem recently, when my self-signed certificate expired. I googled and just copied the command for creating a new certificate from one web site.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/apache2/ssl/apache.crt
In my apache config file: /etc/apache2/sites-available/default-ssl.conf. The certificate file & key file refer to the following filename.
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Hence, the error seen here in my case was easier fix, just by providing the correct location of the certificate key file when creating the ssl certificate.
So, here is the command that I should have used & typed correctly.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
answered Dec 12 '17 at 10:14
Bhoom Suktitipat
1012
add a comment |
up vote
0
down vote
In my case I have resolved this by replaced in my apache ssl config file for each concerned domain :
ServerName mydomain.com
ServerAlias www.mydomain.com
by :
ServerName www.mydomain.com
ServerAlias mydomain.com
Because my certificate is for "www.mydomain.com" and not for "mydomain.com"
complete apache file :
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin noreply@mydomain.com
ServerName www.mydomain.com
ServerAlias mydomain.com
DocumentRoot /home/mydomain.com/public_html
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|ico|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .pdf$ no-gzip dont-vary
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
<Directory />
Options +FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/mydomain.com/public_html>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride All
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
answered Nov 30 at 20:12
user2267379
1011
New contributor
user2267379 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
Okay, I noticed that this post is viewed quite often recently and so it seems that a lot of people are facing the same issue that I did. If so then this might help you.
I have followed a simple step-by-step tutorial to create a SSL-certification for my webserver. Like so many tutorials out there the outcome of the tutorial I followed was a self-signed certificate using OpenSSL. Yep self-signed, that was the problem. The browser could not trust the server due to it's certificate which is signed by itself. Well I wouldn't do either...
A certificate has to be signed by an external trustworthy certificate authority (CA). So I stumbled upon Let's Encrypt which does all the work for you and is even easier to set up and the best is: it is absolutely free.
Installation
1) Delete your old ssl cert files which you have created by using OpenSSL
2) Open backports to get certbot client on Debian. You should know that this will open a hole for unfinished software! Install only the packages when you are aware about what you are doing.
echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/backports.list
3) Update your linux system
sudo apt-get update
4) Install certbot
sudo apt-get install python-certbot-apache -t jessie-backports
5) Set up apache ServerName and ServerAlias
sudo nano /etc/apache2/sites-available/000-default.conf
6) Edit apache config file
<VirtualHost *:80>
. . .
ServerName example.com
ServerAlias www.example.com
. . .
</VirtualHost>
7) Check for a correct syntax
sudo apache2ctl configtest
8) If the config file looks fine, restart apache server
sudo systemctl restart apache2
9) Set up a certificate using certbot and follow the instruction on screen.
sudo certbot --apache
Renewal
All certificates by Let's Encrypt are valid through 3 months. To renew the you can manually run
sudo certbot renew
Or automate this service as a cron job
sudo crontab -e
and enter the following row to invoke a renewal every Monday at 2:30 am.
. . .
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
I hope this or one of the other great answers will help you out. As for me this was the solution that worked for me. You can follow a more detailled tutorial here: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8
answered Jul 3 '17 at 8:40
pixelmusic
111118
add a comment |
up vote
3
down vote
accepted
Okay, I noticed that this post is viewed quite often recently and so it seems that a lot of people are facing the same issue that I did. If so then this might help you.
I have followed a simple step-by-step tutorial to create a SSL-certification for my webserver. Like so many tutorials out there the outcome of the tutorial I followed was a self-signed certificate using OpenSSL. Yep self-signed, that was the problem. The browser could not trust the server due to it's certificate which is signed by itself. Well I wouldn't do either...
A certificate has to be signed by an external trustworthy certificate authority (CA). So I stumbled upon Let's Encrypt which does all the work for you and is even easier to set up and the best is: it is absolutely free.
Installation
1) Delete your old ssl cert files which you have created by using OpenSSL
2) Open backports to get certbot client on Debian. You should know that this will open a hole for unfinished software! Install only the packages when you are aware about what you are doing.
echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/backports.list
3) Update your linux system
sudo apt-get update
4) Install certbot
sudo apt-get install python-certbot-apache -t jessie-backports
5) Set up apache ServerName and ServerAlias
sudo nano /etc/apache2/sites-available/000-default.conf
6) Edit apache config file
<VirtualHost *:80>
. . .
ServerName example.com
ServerAlias www.example.com
. . .
</VirtualHost>
7) Check for a correct syntax
sudo apache2ctl configtest
8) If the config file looks fine, restart apache server
sudo systemctl restart apache2
9) Set up a certificate using certbot and follow the instruction on screen.
sudo certbot --apache
Renewal
All certificates by Let's Encrypt are valid through 3 months. To renew the you can manually run
sudo certbot renew
Or automate this service as a cron job
sudo crontab -e
and enter the following row to invoke a renewal every Monday at 2:30 am.
. . .
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
I hope this or one of the other great answers will help you out. As for me this was the solution that worked for me. You can follow a more detailled tutorial here: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8
answered Jul 3 '17 at 8:40
pixelmusic
111118
add a comment |
up vote
3
down vote
accepted
up vote
3
down vote
accepted
Okay, I noticed that this post is viewed quite often recently and so it seems that a lot of people are facing the same issue that I did. If so then this might help you.
I have followed a simple step-by-step tutorial to create a SSL-certification for my webserver. Like so many tutorials out there the outcome of the tutorial I followed was a self-signed certificate using OpenSSL. Yep self-signed, that was the problem. The browser could not trust the server due to it's certificate which is signed by itself. Well I wouldn't do either...
A certificate has to be signed by an external trustworthy certificate authority (CA). So I stumbled upon Let's Encrypt which does all the work for you and is even easier to set up and the best is: it is absolutely free.
Installation
1) Delete your old ssl cert files which you have created by using OpenSSL
2) Open backports to get certbot client on Debian. You should know that this will open a hole for unfinished software! Install only the packages when you are aware about what you are doing.
echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/backports.list
3) Update your linux system
sudo apt-get update
4) Install certbot
sudo apt-get install python-certbot-apache -t jessie-backports
5) Set up apache ServerName and ServerAlias
sudo nano /etc/apache2/sites-available/000-default.conf
6) Edit apache config file
<VirtualHost *:80>
. . .
ServerName example.com
ServerAlias www.example.com
. . .
</VirtualHost>
7) Check for a correct syntax
sudo apache2ctl configtest
8) If the config file looks fine, restart apache server
sudo systemctl restart apache2
9) Set up a certificate using certbot and follow the instruction on screen.
sudo certbot --apache
Renewal
All certificates by Let's Encrypt are valid through 3 months. To renew the you can manually run
sudo certbot renew
Or automate this service as a cron job
sudo crontab -e
and enter the following row to invoke a renewal every Monday at 2:30 am.
. . .
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
I hope this or one of the other great answers will help you out. As for me this was the solution that worked for me. You can follow a more detailled tutorial here: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8
answered Jul 3 '17 at 8:40
pixelmusic
111118
Okay, I noticed that this post is viewed quite often recently and so it seems that a lot of people are facing the same issue that I did. If so then this might help you.
I have followed a simple step-by-step tutorial to create a SSL-certification for my webserver. Like so many tutorials out there the outcome of the tutorial I followed was a self-signed certificate using OpenSSL. Yep self-signed, that was the problem. The browser could not trust the server due to it's certificate which is signed by itself. Well I wouldn't do either...
A certificate has to be signed by an external trustworthy certificate authority (CA). So I stumbled upon Let's Encrypt which does all the work for you and is even easier to set up and the best is: it is absolutely free.
Installation
1) Delete your old ssl cert files which you have created by using OpenSSL
2) Open backports to get certbot client on Debian. You should know that this will open a hole for unfinished software! Install only the packages when you are aware about what you are doing.
echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/backports.list
3) Update your linux system
sudo apt-get update
4) Install certbot
sudo apt-get install python-certbot-apache -t jessie-backports
5) Set up apache ServerName and ServerAlias
sudo nano /etc/apache2/sites-available/000-default.conf
6) Edit apache config file
<VirtualHost *:80>
. . .
ServerName example.com
ServerAlias www.example.com
. . .
</VirtualHost>
7) Check for a correct syntax
sudo apache2ctl configtest
8) If the config file looks fine, restart apache server
sudo systemctl restart apache2
9) Set up a certificate using certbot and follow the instruction on screen.
sudo certbot --apache
Renewal
All certificates by Let's Encrypt are valid through 3 months. To renew the you can manually run
sudo certbot renew
Or automate this service as a cron job
sudo crontab -e
and enter the following row to invoke a renewal every Monday at 2:30 am.
. . .
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
I hope this or one of the other great answers will help you out. As for me this was the solution that worked for me. You can follow a more detailled tutorial here: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8
answered Jul 3 '17 at 8:40
pixelmusic
111118
edited Jul 27 '17 at 7:35
answered Jul 3 '17 at 8:40
pixelmusic
111118
answered Jul 3 '17 at 8:40
pixelmusic
111118
answered Jul 3 '17 at 8:40
pixelmusic
111118
111118
add a comment |
add a comment |
up vote
2
down vote
If you are seeing no other SSL errors,
and if you have tried setting 'LogLevel debug' in the httpd.conf file,
this error message can also suggest 'Listen 443' is missing from the httpd.conf file.
answered Oct 4 '17 at 19:57
BenjaminBrink
211
i totally forget to make Apache listen to 443 it was only listening to 80 thanks
– Robert
Apr 2 at 21:21
add a comment |
up vote
2
down vote
If you are seeing no other SSL errors,
and if you have tried setting 'LogLevel debug' in the httpd.conf file,
this error message can also suggest 'Listen 443' is missing from the httpd.conf file.
answered Oct 4 '17 at 19:57
BenjaminBrink
211
i totally forget to make Apache listen to 443 it was only listening to 80 thanks
– Robert
Apr 2 at 21:21
add a comment |
up vote
2
down vote
up vote
2
down vote
If you are seeing no other SSL errors,
and if you have tried setting 'LogLevel debug' in the httpd.conf file,
this error message can also suggest 'Listen 443' is missing from the httpd.conf file.
answered Oct 4 '17 at 19:57
BenjaminBrink
211
If you are seeing no other SSL errors,
and if you have tried setting 'LogLevel debug' in the httpd.conf file,
this error message can also suggest 'Listen 443' is missing from the httpd.conf file.
answered Oct 4 '17 at 19:57
BenjaminBrink
211
answered Oct 4 '17 at 19:57
BenjaminBrink
211
answered Oct 4 '17 at 19:57
BenjaminBrink
211
answered Oct 4 '17 at 19:57
BenjaminBrink
211
211
i totally forget to make Apache listen to 443 it was only listening to 80 thanks
– Robert
Apr 2 at 21:21
add a comment |
i totally forget to make Apache listen to 443 it was only listening to 80 thanks
– Robert
Apr 2 at 21:21
i totally forget to make Apache listen to 443 it was only listening to 80 thanks
– Robert
Apr 2 at 21:21
i totally forget to make Apache listen to 443 it was only listening to 80 thanks
– Robert
Apr 2 at 21:21
add a comment |
up vote
0
down vote
Those are not errors - they are warnings. It is quite possible to run mod_ssl with a certificate which doesn't match the defined server names as long as you have a default ssl host defined and the common name on the certificate matches the host name used by clients to connect.
The latter does not appear to be true in your case. As Jacob says, you need to specify the correct host name as the common name (or an alias) when you create a CSR.
To see what name(s) are currently on the certificate:
openssl s_client -showcerts -connect ${HOSTNAME}:443
If there are multiple certificates installed on the machine and served on the same IP address, then:
openssl s_client -showcerts -connect ${HOSTIP}:443 -servername ${HOSTNAME}
(where the ${...} values are placeholders you should replace with the relevant values).
answered Apr 10 '17 at 12:20
symcbean
2,26411121
add a comment |
up vote
0
down vote
Those are not errors - they are warnings. It is quite possible to run mod_ssl with a certificate which doesn't match the defined server names as long as you have a default ssl host defined and the common name on the certificate matches the host name used by clients to connect.
The latter does not appear to be true in your case. As Jacob says, you need to specify the correct host name as the common name (or an alias) when you create a CSR.
To see what name(s) are currently on the certificate:
openssl s_client -showcerts -connect ${HOSTNAME}:443
If there are multiple certificates installed on the machine and served on the same IP address, then:
openssl s_client -showcerts -connect ${HOSTIP}:443 -servername ${HOSTNAME}
(where the ${...} values are placeholders you should replace with the relevant values).
answered Apr 10 '17 at 12:20
symcbean
2,26411121
add a comment |
up vote
0
down vote
up vote
0
down vote
Those are not errors - they are warnings. It is quite possible to run mod_ssl with a certificate which doesn't match the defined server names as long as you have a default ssl host defined and the common name on the certificate matches the host name used by clients to connect.
The latter does not appear to be true in your case. As Jacob says, you need to specify the correct host name as the common name (or an alias) when you create a CSR.
To see what name(s) are currently on the certificate:
openssl s_client -showcerts -connect ${HOSTNAME}:443
If there are multiple certificates installed on the machine and served on the same IP address, then:
openssl s_client -showcerts -connect ${HOSTIP}:443 -servername ${HOSTNAME}
(where the ${...} values are placeholders you should replace with the relevant values).
answered Apr 10 '17 at 12:20
symcbean
2,26411121
Those are not errors - they are warnings. It is quite possible to run mod_ssl with a certificate which doesn't match the defined server names as long as you have a default ssl host defined and the common name on the certificate matches the host name used by clients to connect.
The latter does not appear to be true in your case. As Jacob says, you need to specify the correct host name as the common name (or an alias) when you create a CSR.
To see what name(s) are currently on the certificate:
openssl s_client -showcerts -connect ${HOSTNAME}:443
If there are multiple certificates installed on the machine and served on the same IP address, then:
openssl s_client -showcerts -connect ${HOSTIP}:443 -servername ${HOSTNAME}
(where the ${...} values are placeholders you should replace with the relevant values).
answered Apr 10 '17 at 12:20
symcbean
2,26411121
answered Apr 10 '17 at 12:20
symcbean
2,26411121
answered Apr 10 '17 at 12:20
symcbean
2,26411121
answered Apr 10 '17 at 12:20
symcbean
2,26411121
2,26411121
add a comment |
add a comment |
up vote
0
down vote
I ran into this problem recently, when my self-signed certificate expired. I googled and just copied the command for creating a new certificate from one web site.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/apache2/ssl/apache.crt
In my apache config file: /etc/apache2/sites-available/default-ssl.conf. The certificate file & key file refer to the following filename.
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Hence, the error seen here in my case was easier fix, just by providing the correct location of the certificate key file when creating the ssl certificate.
So, here is the command that I should have used & typed correctly.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
answered Dec 12 '17 at 10:14
Bhoom Suktitipat
1012
add a comment |
up vote
0
down vote
I ran into this problem recently, when my self-signed certificate expired. I googled and just copied the command for creating a new certificate from one web site.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/apache2/ssl/apache.crt
In my apache config file: /etc/apache2/sites-available/default-ssl.conf. The certificate file & key file refer to the following filename.
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Hence, the error seen here in my case was easier fix, just by providing the correct location of the certificate key file when creating the ssl certificate.
So, here is the command that I should have used & typed correctly.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
answered Dec 12 '17 at 10:14
Bhoom Suktitipat
1012
add a comment |
up vote
0
down vote
up vote
0
down vote
I ran into this problem recently, when my self-signed certificate expired. I googled and just copied the command for creating a new certificate from one web site.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/apache2/ssl/apache.crt
In my apache config file: /etc/apache2/sites-available/default-ssl.conf. The certificate file & key file refer to the following filename.
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Hence, the error seen here in my case was easier fix, just by providing the correct location of the certificate key file when creating the ssl certificate.
So, here is the command that I should have used & typed correctly.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
answered Dec 12 '17 at 10:14
Bhoom Suktitipat
1012
I ran into this problem recently, when my self-signed certificate expired. I googled and just copied the command for creating a new certificate from one web site.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/apache2/ssl/apache.crt
In my apache config file: /etc/apache2/sites-available/default-ssl.conf. The certificate file & key file refer to the following filename.
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Hence, the error seen here in my case was easier fix, just by providing the correct location of the certificate key file when creating the ssl certificate.
So, here is the command that I should have used & typed correctly.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
answered Dec 12 '17 at 10:14
Bhoom Suktitipat
1012
answered Dec 12 '17 at 10:14
Bhoom Suktitipat
1012
answered Dec 12 '17 at 10:14
Bhoom Suktitipat
1012
answered Dec 12 '17 at 10:14
Bhoom Suktitipat
1012
1012
add a comment |
add a comment |
up vote
0
down vote
In my case I have resolved this by replaced in my apache ssl config file for each concerned domain :
ServerName mydomain.com
ServerAlias www.mydomain.com
by :
ServerName www.mydomain.com
ServerAlias mydomain.com
Because my certificate is for "www.mydomain.com" and not for "mydomain.com"
complete apache file :
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin noreply@mydomain.com
ServerName www.mydomain.com
ServerAlias mydomain.com
DocumentRoot /home/mydomain.com/public_html
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|ico|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .pdf$ no-gzip dont-vary
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
<Directory />
Options +FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/mydomain.com/public_html>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride All
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
answered Nov 30 at 20:12
user2267379
1011
New contributor
user2267379 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
In my case I have resolved this by replaced in my apache ssl config file for each concerned domain :
ServerName mydomain.com
ServerAlias www.mydomain.com
by :
ServerName www.mydomain.com
ServerAlias mydomain.com
Because my certificate is for "www.mydomain.com" and not for "mydomain.com"
complete apache file :
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin noreply@mydomain.com
ServerName www.mydomain.com
ServerAlias mydomain.com
DocumentRoot /home/mydomain.com/public_html
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|ico|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .pdf$ no-gzip dont-vary
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
<Directory />
Options +FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/mydomain.com/public_html>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride All
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
answered Nov 30 at 20:12
user2267379
1011
New contributor
user2267379 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
up vote
0
down vote
In my case I have resolved this by replaced in my apache ssl config file for each concerned domain :
ServerName mydomain.com
ServerAlias www.mydomain.com
by :
ServerName www.mydomain.com
ServerAlias mydomain.com
Because my certificate is for "www.mydomain.com" and not for "mydomain.com"
complete apache file :
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin noreply@mydomain.com
ServerName www.mydomain.com
ServerAlias mydomain.com
DocumentRoot /home/mydomain.com/public_html
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|ico|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .pdf$ no-gzip dont-vary
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
<Directory />
Options +FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/mydomain.com/public_html>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride All
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
answered Nov 30 at 20:12
user2267379
1011
New contributor
user2267379 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
In my case I have resolved this by replaced in my apache ssl config file for each concerned domain :
ServerName mydomain.com
ServerAlias www.mydomain.com
by :
ServerName www.mydomain.com
ServerAlias mydomain.com
Because my certificate is for "www.mydomain.com" and not for "mydomain.com"
complete apache file :
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin noreply@mydomain.com
ServerName www.mydomain.com
ServerAlias mydomain.com
DocumentRoot /home/mydomain.com/public_html
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|ico|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .pdf$ no-gzip dont-vary
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
<Directory />
Options +FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/mydomain.com/public_html>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride All
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
answered Nov 30 at 20:12
user2267379
1011
New contributor
user2267379 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Nov 30 at 20:12
user2267379
1011
New contributor
user2267379 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Nov 30 at 20:12
user2267379
1011
answered Nov 30 at 20:12
user2267379
1011
1011
New contributor
user2267379 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
user2267379 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
user2267379 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f358089%2fapache-ssl-server-cert-does-not-include-id-which-matches-server-name%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Were you using Apache 2.2 or 2.4? I upgraded from 2.2 to 2.4 and getting this error. In my case it's not a public server, it's an internal one, so I'm guessing self-signed certificate will do.
– svhyd
Oct 26 '17 at 18:49
I was using Apache 2.2 on my public server (Debian 8) when I got this error. After switching to Let's Encript the error was gone so I guess it was the self-signed certificate that caused the error.
– pixelmusic
Nov 1 '17 at 7:24