2

I get an error when trying setting up a subdomain with SSL..

I think it's because the servername isn't typed correct (with the 'ø') in the vhost?

Have just moved from a webhosting solution to a dedicated server.. Before migrating to the new server, the SSL worked on the subdomain, but I don't know how the vhost was setup on the webhosted server!? Probably not like this..? (if the vhost even is the problem?)

Domain

secure.online-økonomi.dk

vhost

<VirtualHost _default_:443>
    ServerName secure.xn--online-konomi-hnb.dk
    DocumentRoot /var/www/online-okonomi.dk

    SSLEngine on
    SSLCertificateFile /var/ini/ssl/secure.xn--online-konomi-hnb.dk/public.crt
    SSLCertificateKeyFile /var/ini/ssl/secure.xn--online-konomi-hnb.dk/private.key
    SSLCACertificateFile /var/ini/ssl/secure.xn--online-konomi-hnb.dk/intermediate.crt
    SSLVerifyDepth 1
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
</VirtualHost>

Error

[Fri May 27 09:46:38 2011] [warn] RSA server certificate CommonName (CN) `secure.online-\xc3\xb8konomi.dk' does NOT match server name!?
[Fri May 27 09:46:38 2011] [error] Unable to configure RSA server private key
[Fri May 27 09:46:38 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
clarkk
  • 2,035
  • 8
  • 24
  • 36
  • Looks like a difference in the Apache or SSL library software used on the webhosting service and on your dedicated server. Maybe the hosting service provided newer or patched Apache or openssl? – Jacek Konieczny May 27 '11 at 12:24
  • When you purchased the cert, did you give the CA the domain in puny code or did you actually use æøå in your request? – Frands Hansen May 28 '11 at 11:33
  • I gave them the "real" adress with æøå... but it has working on the previous webhost server – clarkk May 28 '11 at 11:57

2 Answers2

2

The warning about the host name mismatch is probably not the actual issue - Apache should warn about a mismatching name (which there definitely is, even without character set translation issues), but that should not cause a complete failure of starting the SSL vhost.

The error about the mismatching public/private certificates is the concern. Check the certificate files for validity, and make sure they match:

openssl x509 -noout -text -in /var/ini/ssl/secure.xn--online-konomi-hnb.dk/public.crt
openssl rsa -noout -text -in /var/ini/ssl/secure.xn--online-konomi-hnb.dk/private.key
Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • after running the syntax for each file, how can I then check if they match? – clarkk May 28 '11 at 12:02
  • Compare the "modulus" field of the output from the two commands, it should be identical. – Shane Madden May 28 '11 at 17:54
  • ok.. they doesn't match.. maybe the files are not saved correct? I have recieved all three keys/certs as text in an email.. have copied the text into .txt files and then renamed the file extensions – clarkk May 28 '11 at 18:08
  • Maybe check if the intermediate cert and the server cert got mixed up by checking the modulus on that one? – Shane Madden May 28 '11 at 18:10
  • how does the syntax for that one looks like? – clarkk May 28 '11 at 19:09
-1

It a known problem in the world of DNS, that resolving the danish letters 'æ' 'ø' 'å' is highly problematic. To me it seems like it cannot resolve the CN containing the 'ø'. I suggest that you get a new domain, replacing the danish letters with their english equals; 'ae' = æ 'oe' = ø 'aa' = å

Anything else will keep giving you lots of trouble over and over again..

However, I have one other suggestion, though not sure how to do it. Try to see if you can change the record a bit.. [Fri May 27 09:46:38 2011] [warn] RSA server certificate CommonName (CN) secure.online-\xc3\xb8konomi.dk' " to [Fri May 27 09:46:38 2011] [warn] RSA server certificate CommonName (CN) secure.online-\xc3\konomi.dk' or [Fri May 27 09:46:38 2011] [warn] RSA server certificate CommonName (CN) secure.online-\xc3\okonomi.dk'

deanihansen
  • 227
  • 2
  • 4
  • It has worked.. I have just moved from webhosting to a dedicated server.. I worked before but I can't make it work now.. – clarkk May 27 '11 at 09:08
  • but I don't know how my provider had set up the vhost!? – clarkk May 27 '11 at 09:09
  • The problem is not about DNS or 'resolving' a name, but about using international domain names with SSL-protected Apache vhosts. Suggesting to stop using IDN doesn't seem like an answer to a question about specific IDN problem. -1 – Jacek Konieczny May 27 '11 at 12:22