2

I have a static IP which gets routed requests through my firewall. This server has a wildcard SSL certificate that for some reason decided it no longer wants to work. In my httpd.conf I have the following configuration for the server:

ServerName 10.200.2.15  
NameVirtualHost 10.200.2.15:443  
Listen 10.200.2.15:443

I have mod_ssl enabled, etc. I then have a virtual host configured:

< VirtualHost 10.200.2.15:443 >  
ServerName v3.mysite.com  
ServerAdmin webmaster@example.com  
DocumentRoot "/Library/WebServer/Documents"  
DirectoryIndex index.html index.php login.jhtml  
ErrorLog "/private/var/log/httpd/error_log"  
< IfModule mod_ssl.c >  
SSLEngine On  
SSLLog "/private/var/log/httpd/ssl_engine_log"  
SSLCertificateFile "/etc/certificates/_.mysite.com.crt"  
SSLCertificateKeyFile "/etc/certificates/private.key"  
SSLCertificateChainFile "/etc/certificates/gd_bundle.crt"  
SSLCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL"  
< /IfModule >  
< /VirtualHost >

When I restart apache my ssl engine log states:

[info] Init: Configuring server v3.mysite.com:443 for SSL protocol
[warn] Init: (v3.mysite.com:443) RSA server certificate CommonName (CN) `*.mysite.com' does NOT match server name!?

This configuration was working fine for months, and after a restart the server refuses to serve the site over HTTPS. It times out attempting to hit it in Firefox through both the static ip and the DNS outside of the VPN. Any thoughts?

serverAdmin123
  • 230
  • 3
  • 18
  • This warning is normal (and was already there before IMHO). But what happens exactly when you try to connect over https? Does it timeout? – Pascal Thivent Feb 22 '10 at 09:03
  • Yeah, I get a timeout and the following error shows up in the ssl engine log: [error] SSL handshake failed (server v3.mysite.com:443, client 10.200.2.193) (OpenSSL library error follows) [error] OpenSSL: error:14094415:lib(20):func(148):reason(1045) –  Feb 22 '10 at 09:06
  • This is running through the VPN on the local network in an attempt to connect directly to it. Outside of the VPN hitting the actual domain it times out as well. –  Feb 22 '10 at 09:07

2 Answers2

1

"RSA server certificate CommonName (CN) `*.mysite.com' does NOT match server name!? " is a normal warning when using wildcard certificates and it can safely be ignored. That isn't the reason why SSL isn't working. If you don't see any other errors in your logs, make sure that everything is forwarding port 443 properly.

Robert
  • 1,575
  • 7
  • 7
  • So after closer inspection, it seems like SSL has stopped forwarding requests to Tomcat. Still not sure whats going, but I can hit the site fine on its IP on 443 as long as I don't attempt to hit the index page. The following redirect is in the above VirtualHost config and worked fine previously: Redirect permanent /index.html https://v3.mysite.com/app/jsp/login.jsp Seems to hang when it attempts to redirect. Any reason mod_jk would stop working? I don't believe I've run any updates lately. –  Feb 22 '10 at 17:30
0

"RSA server certificate CommonName (CN) `*.mysite.com' does NOT match server name!? "

For "wildcard" certificates (i.e., "*.domain.com") , try changing your virtual host reference from

<VirtualHost (ip address of server):443>
ServerName mysite.com
<VirtualHost>

... to:

<VirtualHost (ip address of server):443>
ServerName *.mysite.com
<VirtualHost>

The point: If it;s a "wildcard" certificate, the virtual server has no 3rd Level Host Name (i.e., it's JUST the "domain.com"), then the domain needs to match the certificate "exactly" -- complete with asterisk (*.domain.com) and all! ;)

quicky
  • 1
  • 1