Ubuntu – Server certificate does NOT include an ID which matches the server name


Our server was upgraded yesterday so it now has a more updated Ubuntu, Apache 2.4.10, PHP etc. After I put everything back, Apache started complaining about my configuration.

The server hosts a site which is using wildcards for dynamic content for different customers and contains 3 wildcard certificates for different services for these customers.

A part of the config with a wildcard looks like this:

<VirtualHost *:80>
    ServerName *.dashboard.example.com
    ServerAlias *.dashboard.example.com
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^(.+)\.dashboard.example\.com$
    RewriteRule ^/(.*)$ https://%1.dashboard.example.com/$1 [R=302,L]

<VirtualHost *:443>
    ServerAdmin webmaster@example.com
    ServerName *.dashboard.example.com
    ServerAlias *.dashboard.example.com
    DocumentRoot /var/www/dashboard.example.com/web

    <Directory />
        AllowOverride All
        Options -Indexes +MultiViews +FollowSymLinks
        Order Deny,Allow
        Allow from all

    ErrorLog /var/log/apache2/dashboard.example.com-error.log
    CustomLog /var/log/apache2/dashboard.example.com-access.log combined

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/bundle_wc_dashboard_example_com.crt
    SSLCertificateKeyFile /etc/ssl/certs/wildcard_dashboard_example_com.key

Note that I'm using a bundle as a certificate file. Using separate files for the intermediate and root files results in an even worse result when using SSL checks. The GeoTrust certificate is then not recognised. My SSL certificate supplier explaind as of Apache 2.4, the certificates should be bundles.

So this does not work for me:

SSLCertificateFile /etc/ssl/certs/wildcard_dashboard_example_com.crt
SSLCertificateKeyFile /etc/ssl/certs/wildcard_dashboard_example_com.key
SSLCertificateChainFile /etc/ssl/certs/GeoTrust_Global_CA.crt
SSLCertificateChainFile /etc/ssl/certs/RapidSSL_SHA256_CA_G3.crt

The above however, did work on Apache 2.2.

When I try to start apache it complains about the ServerName value:

[FAIL] Reloading web server: apache2 failed!
[warn] The apache2 configtest failed. Not doing anything. ... (warning).
Output of config test was:
AH00526: Syntax error on line 42 of /etc/apache2/sites-enabled/3-production.conf:
Invalid ServerName "*.dashboard.example.com" use ServerAlias to set multiple server names.
Action 'configtest' failed.
The Apache error log may have more information.

So it seems the asterisk is not allowed. If I remove the asterisk, apache starts, but an error appears in the domain's error log:

Fri Mar 11 10:32:13.821304 2016] [ssl:warn] [pid 18019] AH01909: dashboard.example.com:443:0 server certificate does NOT include an ID which matches the server name

From other sources I found the following command, which should be used to determine the CommonName which should be used as ServerName:

openssl x509 -in wildcard_dashboard_example_com.crt -noout -subject

Which returns:

subject= /CN=*.dashboard.example.com

My browser does show a green lock, but SSL checks complain I'm missing an intermediate/chain certificate file (see screenshot). The same problem occurs on the same server for 2 other wildcard domains and 1 normal subdomain which isn't a wildcard. Even there apache claims server certificate does NOT include an ID which matches the server name.
The site is using wildcards for dynamic content for different customers and contains 3 wildcard certificates for different services for these customers.

Any idea on how I can fix this? Anything else I can do to check what's wrong?

Failed SSL check

Update May 18 2016

I fixed this at the start of April. It appeared that the company who provided the SSL certificates gave us an old root certificate. They mailed me a zip containing both a bundled certificate and and separate certificate files. I tried installing these multiple times. Then I compared the contents of all the files manually with other sites that did work. I noticed a difference and re-downloaded the certificates manually from their site.

The GeoTrust certificate was different. After installing it everything worked like a charm. My boss told me he would contact them about this, but unfortunately this never happened. Happy it's working now anyway.

Best Answer

If the certificate is valid for specifically only *.dashboard.example.com, it's not valid for dashboard.example.com (the latter does not match the wildcard).

ServerName is used to specify the canonical name (one single name) for the site.
Additional names and wildcards only go into ServerAlias.

Setting eg ServerName foo.dashboard.example.com should work (in combination with the ServerAlias you have).

Regarding the mentioned issues with the certificate chain, these do not appear to be related to the actual question.
I would suggest ensuring that all required intermediate certificates are correctly bundled.

As you noted SSLCertificateChainFile is obsolete, you do not need to use it, you can just put all the certificates in SSLCertificateFile.

The Qualy's SSL Labs test can be used for seeing if any intermediate certs are missing or if there are other issues.