Apache httpd conf file configuration mismatch

Question

I have been facing a weird problem since last 3 days; I have done what was all required for me to do before posting my question here.

My httpd.conf looks like below:

NameVirtualHost *:443
Listen *:443
<VirtualHost server1.example.com:443>
ServerName server1
#ServerName server1.example.com
SSSLEngine on
</VirtualHost>

SSL applied on server1.example.com, however after everything when we go to the website it only works on ServerName server1, not on ServerName server1.example.com. We dont have server1 in any of the configuration and network file.

So when we do this https://server1.example.com/xyz/ --- it works with ServerName server1 but does not work with ServerName server1.example.com.

Where is the problem here; I am not getting it. /etc/hosts, /etc/sysconfig/network, nowhere we have server1; even in the DNS too.

Please suggest.

This is what we get in Error Log:

[Thu Nov 24 11:40:14 2016] [warn] RSA server certificate CommonName (CN) `server1.example.com' does NOT match server name!?
[Thu Nov 24 11:40:14 2016] [notice] Digest: generating secret for digest authentication ...
[Thu Nov 24 11:40:14 2016] [notice] Digest: done
[Thu Nov 24 11:40:14 2016] [notice] SSL FIPS mode disabled
[Thu Nov 24 11:40:14 2016] [warn] RSA server certificate CommonName (CN) `server1.example.com' does NOT match server name!?
[Thu Nov 24 11:40:14 2016] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Thu Nov 24 11:49:47 2016] [notice] caught SIGTERM, shutting down
[Thu Nov 24 11:49:47 2016] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Nov 24 11:49:47 2016] [notice] SSL FIPS mode disabled
[Thu Nov 24 11:49:47 2016] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Nov 24 11:49:47 2016] [warn] RSA server certificate CommonName (CN) `server1' does NOT match server name!?
[Thu Nov 24 11:49:47 2016] [notice] Digest: generating secret for digest authentication ...
[Thu Nov 24 11:49:47 2016] [notice] Digest: done
[Thu Nov 24 11:49:47 2016] [notice] SSL FIPS mode disabled
[Thu Nov 24 11:49:47 2016] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Nov 24 11:49:47 2016] [warn] RSA server certificate CommonName (CN) `server1' does NOT match server name!?
[Thu Nov 24 11:49:47 2016] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Thu Nov 24 11:55:19 2016] [notice] caught SIGTERM, shutting down
[Thu Nov 24 11:55:20 2016] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Nov 24 11:55:20 2016] [notice] SSL FIPS mode disabled
[Thu Nov 24 11:55:20 2016] [warn] RSA server certificate CommonName (CN) `server1.example.com' does NOT match server name!?
[Thu Nov 24 11:55:20 2016] [notice] Digest: generating secret for digest authentication ...
[Thu Nov 24 11:55:20 2016] [notice] Digest: done
[Thu Nov 24 11:55:20 2016] [notice] SSL FIPS mode disabled
[Thu Nov 24 11:55:20 2016] [warn] RSA server certificate CommonName (CN) `server1.example.com' does NOT match server name!?
[Thu Nov 24 11:55:20 2016] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations

Sven · Answer 1 · 2016-11-22T19:04:40.423

5

Try

<VirtualHost *:443>
ServerName server1.example.com
ServerAlias server1
SSLEngine on
</VirtualHost>

You want the wildcard in the VirtualHost statement to turn off IP based vhost mapping. http://httpd.apache.org/docs/2.4/vhosts/name-based.html

Note the fixed line (SSLEngine instead of SSSLEngine).

edited Nov 22 '16 at 19:04

answered Nov 22 '16 at 13:20

Sven

98,649
14
180
226

1

Isn't it SSLEngine instead of SSSLEngine? – Yamakaja Nov 22 '16 at 16:07
Nice catch @Yamakaja. How come never got an error while starting httpd services? Or I might have made a mistake while putting a question here. – Gaurav Bhaskar Nov 22 '16 at 19:02
Not working as you mentioned. – Gaurav Bhaskar Nov 23 '16 at 07:55
@GunnyKC: Please add log file entries and other useful info to your question (with the edit button). – Sven Nov 23 '16 at 13:13
Done @Sven, added the error logs, its not working somehow. – Gaurav Bhaskar Nov 24 '16 at 09:12
The server name doesn't match any name defined in the certificate. You need a new cert that also includes `server1.example.com` – Sven Nov 24 '16 at 09:20
I really dont understand why this is happening...i checked this error before and double checked again for what value certificate was ordered and found it was for server1.example.com. – Gaurav Bhaskar Nov 24 '16 at 11:29

score 1 · Answer 2 · answered Nov 22 '16 at 13:19

1

ServerName server1.example.com
ServerAlias server1

answered Nov 22 '16 at 13:19

mzhaase

3,798
2
20
32

Does not work.. – Gaurav Bhaskar Nov 23 '16 at 07:59

parkamark · Answer 3 · 2016-11-22T15:46:19.400

1

Try changing your configuration to this:

NameVirtualHost *:443
Listen *:443
<VirtualHost *:443>
ServerName server1.example.com
ServerAlias server1
SSSLEngine on
</VirtualHost>

I tend to avoid using hostnames in the VirtualHost directive. If DNS or any aspect of the hostname lookup process breaks, either on your server, or on DNS servers your server is pointing to/using, and Apache is unable to determine what server1.example.com resolves to at initial start up, it will not load the virtual host configuration.

Secondly, ServerName is the string presented in error pages (404 not found, 500 internal error etc) and the "primary name" for your website, so I tend to use the fully qualified hostname for ServerName. If I then need the site to be accessed by further names, I add these (one or more) using the ServerAlias directive (you can either have multiple lines of ServerAlias or give more than one name per ServerAlias line).

But since this is SSL, I highly suspect you will find there is a certificate mismatch occurring when accessing via just server1, though this should still work if you ignore browser security warnings.

edited Nov 22 '16 at 15:46

answered Nov 22 '16 at 13:28

parkamark

1,128
7
11

Sure. Thanks. I will check it tomorrow and update you. – Gaurav Bhaskar Nov 22 '16 at 15:49
Its not working this way. – Gaurav Bhaskar Nov 23 '16 at 07:55
This one only works: Listen server1.example.com:443 ServerName server1 SSLEngine on – Gaurav Bhaskar Nov 23 '16 at 07:57
If you replace server1.example.com with the IP address instead, it should still work, both on the Listen directive and the VirtualHost one. Then try using ServerName as server1.example.com – parkamark Nov 23 '16 at 10:08
it works but page does not look good, and bar does not become green @parkamark. – Gaurav Bhaskar Nov 24 '16 at 09:13

Apache httpd conf file configuration mismatch

3 Answers3