Linux – Common Name does not match Server Name – SSL Certificate

apache-2.2debianlinuxsslssl-certificate

I recently purchased an SSL certificate.

I've got www.site.com.key, www.site.com.csr, intermedia.pem, www.site.com.crt all set up in my /etc/ssl/localcerts folder.

When I open my browser I get the following :

Connection information

The other problem I get is within /var/log/apache2/error.log :

[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

[warn] RSA server certificate CommonName (CN) `site.com' does NOT match server name!?

I think the problem is that I've submitted the .csr file with the common name being site.com instead of www.site.com. Therefore the common name, not matching with my server name – www.site.com

Is there any way to get around this problem by manipulating the servername on the server? How can I do this? Or do I have to re-consider getting another SSL certificate with the right credentials?

Thanks in advance.

Best Answer

I would not change the server name, since that would mean that all your search engine results would need updating, and that will take time.

When purchasing server certificates, the standard way is to send the .csr with www. prefix. The certificate provider will then issue a certificate both with and without the prefix.

Related Solutions

Redhat – Apache Config: RSA server certificate CommonName (CN) … NOT match server name

You have two VirtualHosts's configured with different SSL certificates. In every VirtualHost you must define ServerName parameter, which match CN field from SSL certificate.

But CN - ServerName mismatch shouldn't cause apache to crash. Probably one module has memleak or memory corruption error. Do you have any non standard module loaded into apache? Please, execute httpd -M and provide output.

SSL Error – Unable to Read Server Certificate from File

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

Best Answer

Related Solutions

Redhat – Apache Config: RSA server certificate CommonName (CN) … NOT match server name

SSL Error – Unable to Read Server Certificate from File

Related Topic