33

I recently started a LAMP server (all the latest versions) w/ WordPress on it, and I'm trying to install a SSL certificate that I recently purchased. When I restart apachectl, error_log gives me this:

[Tue Feb 25 01:07:14.744222 2014] [mpm_prefork:notice] [pid 1744] AH00169: caught SIGTERM, shutting down
[Tue Feb 25 01:07:17.135704 2014] [suexec:notice] [pid 1765] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Feb 25 01:07:17.217424 2014] [auth_digest:notice] [pid 1766] AH01757: generating secret for digest authentication ...
[Tue Feb 25 01:07:17.218686 2014] [lbmethod_heartbeat:notice] [pid 1766] AH02282: No slotmem from mod_heartmonitor
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib64/php/5.5/modules/mysql.so' - /usr/lib64/php/5.5/modules/mysql.so: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib64/php/5.5/modules/mysqli.so' - /usr/lib64/php/5.5/modules/mysqli.so: cannot open shared object file: No such file or directory in Unknown on line 0
[Tue Feb 25 01:07:17.305292 2014] [mpm_prefork:notice] [pid 1766] AH00163: Apache/2.4.6 (Amazon) OpenSSL/1.0.1e-fips PHP/5.5.7 configured -- resuming normal operations
[Tue Feb 25 01:07:17.305378 2014] [core:notice] [pid 1766] AH00094: Command line: '/usr/sbin/httpd'

While ssl_error_log gives me this:

[Tue Feb 25 00:57:15.802287 2014] [ssl:warn] [pid 1705] AH01909: RSA certificate configured for ec2-XX-XXX-XXX-XX.compute-1.amazonaws.com:443 does NOT include an ID which matches the server name
[Tue Feb 25 00:57:15.899327 2014] [ssl:warn] [pid 1706] AH01909: RSA certificate configured for ec2-XX-XXX-XXX-XX.compute-1.amazonaws.com:443 does NOT include an ID which matches the server name

I changed "ServerName" in ssl.conf to my server's name (dcturano.com) and restarted apachectl, yet this error occurs. Any ideas why?

As an aside, I haven't set the CommonName of the server, could that be the issue?

eclipsis
  • 433
  • 1
  • 4
  • 9

6 Answers6

50
openssl x509 -in server.crt -noout -subject

Should return the CN the of the certificate. That's the name you have to use in the ServerName directive and to connect to.

quadruplebucky
  • 5,139
  • 20
  • 23
  • # openssl x509 -in server.crt -noout -subject Error opening Certificate server.crt 140451499632288:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('server.crt','r') 140451499632288:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate – jmituzas Jun 08 '14 at 22:26
  • 1
    @jmituzas, you should change `server.crt` in `openssl x509 -in server.crt -noout -subject` to your server.crt placement – avivmg Mar 07 '15 at 15:29
  • 5
    Practically all public CAs nowadays issue certs with the **SubjectAlternativeName** extension, and you can use any or all of the names in that extension (or any name matching a wildcard). OpenSSL doesn't display SAN in isolation, but you can do something like `openssl x509 -in cert -text | grep -A1 "Subject Alternative Name"` – dave_thompson_085 Nov 13 '15 at 00:01
  • 1
    Also, make sure you add the ServerName directive and not just set the address of the virtual host (which turned out to be the problem in my case). – hugovdberg Oct 27 '16 at 16:29
  • That did the trick. Copied CN value `localhost` from output of `sudo openssl x509 -in /etc/ssl/certs/server.crt -noout -subject` as `ServerName localhost` in `sudo nano /etc/httpd/conf.d/ssl.conf`. I'm using centos 7 in vagrant. – Damodar Bashyal Sep 05 '18 at 01:45
2

I had the same issue but it was because of another reason. I post it here for future googlers:

on my apache2 config file, instead of having <VirtualHost *:443>, I had <VirtualHost *:80>. As soon as I fixed that, the site was back up and running.

AliBZ
  • 253
  • 1
  • 2
  • 10
1

Alternatively, if, like me, you aren't even using ssl, you will still get this error message because using ssl is turned on by default. In that case, turn it off! Here's an excerpt from config.d/ssl.conf:

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
#SSLEngine on
SSLEngine off
Richard T
  • 1,206
  • 12
  • 29
  • 9
    I rated your answer down because the question explicitly states he bought a certificate. I don't usually buy things I don't intend to use. – hugovdberg Oct 27 '16 at 16:26
1

I triggered this issue through my /etc/hosts file.

I had a virtualhost, let's call it www.effinwhatever.com

The server's hostname was www2.

I added a line to my /etc/hosts so I could curl stuff against the virtual host:

192.168.1.200         www.effinwhatever.com

As soon as I removed that line from my /etc/hosts, my Apache server started serving up normally again (with a restart of the service). Weird.

It may also be relevant that my SSL cert is for a wildcard domain.

James T Snell
  • 463
  • 2
  • 11
0

I had the same AH01909: RSA certificate error. In my case, I had the correct serverName value.

The cause of the error was an incorrect IP address in the <VirtualHost 10.11.12.13:443> definition for the secure site. I had mistyped it!

Community
  • 1
Drew
  • 109
  • 2
-1

Be sure your ServerName is exactly the same with openssl x509 -in server.crt -noout -subject output. if there is www, ServerName also need one. if not, ServerName must delete www.

ekse
  • 1