LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 02-12-2019, 07:00 AM   #1
R.N.RAM KANNAN
LQ Newbie
 
Registered: Oct 2009
Posts: 28

Rep: Reputation: 0
server certificate does NOT include an ID which matches the server name


Hi All,

I can able to open my application in http (80).

I am getting the below error and I am not able to access my application in https (SSL).

I have configured self signed certificate for this application.


[Mon Feb 11 16:31:13.123279 2019] [ssl:warn] [pid 3315] AH01906: remis:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Feb 11 16:31:13.123336 2019] [ssl:warn] [pid 3315] AH01909: remis:443:0 server certificate does NOT include an ID which matches the server name
[Mon Feb 11 16:31:13.867888 2019] [ssl:warn] [pid 3317] AH01906: remis:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Feb 11 16:31:13.867944 2019] [ssl:warn] [pid 3317] AH01909: remis:443:0 server certificate does NOT include an ID which matches the server name

****************

SslEngine is ON

SSL port 443 is listening

I have checked all the virtual host configuration are correct and i have done all troubleshooting.

Virtual host config file:

<VirtualHost *:443>
DocumentRoot "/usr/local/namess/apache/htdocs"
ServerName remis:443
SSLCertificateFile /usr/local/namess/apache/conf/ssl.crt/server.key
SSLCertificateFile /usr/local/namess/apache/conf/ssl.crt/server.csr
SSLCertificateFile /usr/local/namess/apache/conf/ssl.crt/server.crt
</VirtualHost>


**********

[root@remis ~]# apachectl configtest
Syntax OK
[root@remis ~]#

**************

[root@remis ~]# openssl verify /root/ssltemp/server.crt
/root/ssltemp/server.crt: C = IN,Chennai, L = Chennai, O = remis company, CN = remis.company.com
error 18 at 0 depth lookup:self signed certificate
OK
[root@remis ~]#

*****************
[root@remis ~]# ls -l /usr/local/namess/apache/conf/ssl.key/server.key
-rw-r--r-- 1 namess namess1679 Feb 11 16:24 /usr/local/namess/apache/conf/ssl.key/server.key

[root@remis ~]# ls -l /usr/local/namess/apache/conf/ssl.csr/server.csr
-rw------- 1 namess namess1013 Feb 11 16:27 /usr/local/namess/apache/conf/ssl.csr/server.csr

[root@remis ~]# ls -l /usr/local/namess/apache/conf/ssl.crt/server.crt
-rw-r--r-- 1 namess namess1334 Feb 11 16:28 /usr/local/namess/apache/conf/ssl.crt/server.crt
[root@remis ~]#

Can you anyone help me to resolve this issue ?

Thanks in advance
Ram

Last edited by R.N.RAM KANNAN; 02-12-2019 at 07:34 AM.
 
Old 02-12-2019, 09:36 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,043

Rep: Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263
Quote:
Originally Posted by R.N.RAM KANNAN View Post
Hi All,
I can able to open my application in http (80). I am getting the below error and I am not able to access my application in https (SSL). I have configured self signed certificate for this application.
Code:
[Mon Feb 11 16:31:13.123279 2019] [ssl:warn] [pid 3315] AH01906: remis:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Feb 11 16:31:13.123336 2019] [ssl:warn] [pid 3315] AH01909: remis:443:0 server certificate does NOT include an ID which matches the server name
[Mon Feb 11 16:31:13.867888 2019] [ssl:warn] [pid 3317] AH01906: remis:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Feb 11 16:31:13.867944 2019] [ssl:warn] [pid 3317] AH01909: remis:443:0 server certificate does NOT include an ID which matches the server name
SslEngine is ON
SSL port 443 is listening

I have checked all the virtual host configuration are correct and i have done all troubleshooting. Virtual host config file:
Code:
<VirtualHost *:443>
DocumentRoot "/usr/local/namess/apache/htdocs"
ServerName remis:443
SSLCertificateFile /usr/local/namess/apache/conf/ssl.crt/server.key
SSLCertificateFile /usr/local/namess/apache/conf/ssl.crt/server.csr
SSLCertificateFile /usr/local/namess/apache/conf/ssl.crt/server.crt
</VirtualHost>

**********

[root@remis ~]# apachectl configtest
Syntax OK
[root@remis ~]#

**************

[root@remis ~]# openssl verify /root/ssltemp/server.crt
/root/ssltemp/server.crt: C = IN,Chennai, L = Chennai, O = remis company, CN = remis.company.com
error 18 at 0 depth lookup:self signed certificate
OK

*****************
[root@remis ~]# ls -l /usr/local/namess/apache/conf/ssl.key/server.key
-rw-r--r-- 1 namess namess1679 Feb 11 16:24 /usr/local/namess/apache/conf/ssl.key/server.key

[root@remis ~]# ls -l /usr/local/namess/apache/conf/ssl.csr/server.csr
-rw------- 1 namess namess1013 Feb 11 16:27 /usr/local/namess/apache/conf/ssl.csr/server.csr

[root@remis ~]# ls -l /usr/local/namess/apache/conf/ssl.crt/server.crt
-rw-r--r-- 1 namess namess1334 Feb 11 16:28 /usr/local/namess/apache/conf/ssl.crt/server.crt
Can you anyone help me to resolve this issue ?
Please wrap things in CODE tags to make them easier to read. And did you read what you posted? I bolded and underlined some things for emphasis above, and the errors are VERY clear. Your certificate wasn't generated/renewed correctly. And since you have 'done all troubleshooting.', did you look up those errors, or read the OpenSSL docs?
Quote:
Originally Posted by OpenSSL
Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL.
You are getting a *WARNING* of "server certificate does NOT include an ID which matches the server name" which is not an error. It indicates that you made a configuration error in that either the wrong TLS server certificate has been set, or that Apache can't match the ServerName to the common name or any of subjectAlternateName in the certificate.

Try switching the ServerName and ServerAlias directives, or generate your certificate correctly. And again, you've not provided ANY details (version/distro of Linux, version of Apache, and what your 'application' actually is) that would let anyone help you further.

Last edited by TB0ne; 02-12-2019 at 09:38 AM.
 
1 members found this post helpful.
Old 02-13-2019, 02:35 AM   #3
R.N.RAM KANNAN
LQ Newbie
 
Registered: Oct 2009
Posts: 28

Original Poster
Rep: Reputation: 0
Thanks TBOne.

Still i am getting the same error.



[root@remis ~]# openssl verify /root/ssltemp/server.crt
/root/ssltemp/server.crt: C = IN,Chennai, L = Chennai, O = remis company, CN = remis.company.com
error 18 at 0 depth lookup:self signed certificate
OK
[root@remis ~]#

My hostname and comman name are same but still i am facing same issue.

ServerName remis:443 (Virtual host entry)

URL: https://remis/namess

Do anyone has any idea on this ?

I followed the below steps to generate certifcates.

openssl genrsa 2048 > server.key
openssl req -new -key server.key > server.csr
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt


Thanks
Ram Kannan.

Last edited by R.N.RAM KANNAN; 02-13-2019 at 02:40 AM.
 
Old 02-13-2019, 07:43 AM   #4
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,043

Rep: Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263Reputation: 5263
Quote:
Originally Posted by R.N.RAM KANNAN View Post
Thanks TBOne.
Still i am getting the same error.
Code:
[root@remis ~]# openssl verify /root/ssltemp/server.crt
/root/ssltemp/server.crt: C = IN,Chennai, L = Chennai, O = remis company, CN = remis.company.com
error 18 at 0 depth lookup:self signed certificate
OK
[root@remis ~]#
My hostname and comman name are same but still i am facing same issue.

ServerName remis:443 (Virtual host entry)
URL: https://remis/namess
Do anyone has any idea on this ? I followed the below steps to generate certifcates.

openssl genrsa 2048 > server.key
openssl req -new -key server.key > server.csr
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
As you were told before, put things in CODE tags so they're easier to read. And did you read all of what you were told??? You were given things to try in your Apache configuration, and the file you're running the check on is **NOT** the same as the one in the original error message. And again, did you read what you posted??

You're saying the hostname and common name are the same. Did you actually read the openssl documentation I posted??
 
Old 02-13-2019, 08:21 AM   #5
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: None, just FreeBSD
Posts: 597

Rep: Reputation: Disabled
OpenSSL is complaining because the certificate is self signed, which is a different error message than your first post. Self signed certificates are not "trustable" because they are not issued from a certificate authority or root (or they are a root themselves). By their nature, all root certs are self-signed, but I digress...

Read the documentation TBone provided first.

What is the purpose of this web server, internal use only or do you intend to expose it to the Internet and allow people to access it?

Last edited by sevendogsbsd; 02-13-2019 at 11:41 AM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Comparing JPEGs and finding matches... or not finding matches. rnturn Linux - General 16 02-20-2018 03:37 PM
SSL certificate generation question - No certificate matches private key etcetera Linux - General 1 04-10-2017 02:28 PM
SSL: certificate subject name 'locladomain' does not match target host name XX.xx.xx. phpdev Linux - Server 3 03-26-2012 05:27 PM
which headers usr/include/ or /usr/include/nptl/? Chris.Rector Linux - Enterprise 0 02-02-2007 02:40 PM
bash: routine outputting both matches and non-matches separately??? Bebo Programming 8 07-19-2004 07:52 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 10:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration