LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-24-2017, 10:24 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 770

Rep: Reputation: Disabled
Difference between RSA ID and server name


The following is a very fresh Centos7 Apache2.4 install. Config files haven't been changed except of the last line of httpd.conf as shown. mod_ssl and openssl have been installed. Certificates came from sslforfree, and I have successfully used them at other sites so they are not the issue. http website works, but https times out. Firewall was disabled to make extra sure, and isn't the issue.

As seen, I am getting error [ssl:warn] [pid 2459] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name. But openssl shows it as being correct.

What is going wrong?

Thank you

Code:
[root@example ~]# tail -1 /etc/httpd/conf/httpd.conf
IncludeOptional sites-enabled/*.conf
[root@example ~]# cat /etc/httpd/sites-available/corperate.conf
<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /var/www/corperate/html
    <Directory "/var/www/corperate/html">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
        RewriteEngine On
    </Directory>
</VirtualHost>
<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/corperate/html
    SSLEngine on
    SSLCertificateFile "/etc/pki/tls/certs/certificate.crt"
    SSLCertificateKeyFile "/etc/pki/tls/private/private.key"
    SSLCACertificateFile "/etc/pki/tls/certs/ca_bundle.crt"
    <Directory "/var/www/corperate/html">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
        RewriteEngine On
    </Directory>
</VirtualHost>
[root@example ~]# openssl x509 -in /etc/pki/tls/certs/certificate.crt -noout -subject
subject= /CN=example.com
[root@example ~]# tail -2 /var/log/httpd/ssl_error_log
[Wed May 24 14:34:18.641188 2017] [ssl:warn] [pid 2413] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Wed May 24 14:34:18.675031 2017] [ssl:warn] [pid 2413] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[root@example ~]# systemctl restart httpd.service
[root@example ~]# tail -2 /var/log/httpd/ssl_error_log
[Wed May 24 14:36:41.201521 2017] [ssl:warn] [pid 2459] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Wed May 24 14:36:41.226252 2017] [ssl:warn] [pid 2459] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[root@example ~]# hostnamectl status
   Static hostname: example.com
         Icon name: computer-vm
           Chassis: vm
        Machine ID: xxx
           Boot ID: xxx
    Virtualization: vmware
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-514.16.1.el7.x86_64
      Architecture: x86-64
[root@example ~]# httpd -S
VirtualHost configuration:
*:80                   example.com (/etc/httpd/sites-enabled/corperate.conf:1)
*:443                  is a NameVirtualHost
         default server example.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost example.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost example.com (/etc/httpd/sites-enabled/corperate.conf:12)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
[root@example ~]# sed -n '56p' < /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
[root@example ~]#
 
Old 05-24-2017, 10:49 AM   #2
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 770

Original Poster
Rep: Reputation: Disabled
A clue!!!

/etc/httpd/conf.d/ssl.conf creates a default host <VirtualHost _default_:443>.

If I delete it, I don't get the error, but https still times out.

I think how I defined the virtual host must somehow be wrong. Doesn't make sense because the 80 vh is fine, just not the 443 vh.
 
Old 05-25-2017, 07:36 PM   #3
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010
If httpd creates a virtual default 443 host, then maybe you are winding up with two of them.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
RSA SecurID: RSA Web Agent, integration of RSA auth page Linux_Kidd General 1 08-28-2013 05:59 PM
RSA certificate for ssl server problem mr_empty Linux - Security 2 12-05-2006 07:36 PM
Multiple RSA Server Certificate Swakoo Linux - Newbie 14 07-20-2005 07:44 AM
SSH use RSA server through Firewall gtomczyk Linux - Security 1 09-11-2003 05:03 PM
Linux ssh with Windows RSA server gtomczyk Linux - Software 0 09-08-2003 04:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration