1

I've purchased a TLS certificate from godaddy for a domain (say somebeta.com - actual is different). The DNS points to an AWS EC2 Linux server which I operate. The httpd web server on this EC2 serves the REST API requests.

I've installed the certificate on the AWS EC2 server which points to beta.com, and at no place in httpd.conf or ssl.conf have I specified the ServerName directive. Every thing works nicely, https://somebeta.com works, green color appears, all is good.

Now I create a new subdomain routing on godaddy DNS, by pointing alpha.something.beta to another EC2 instance. When I install this certificate on another EC2 server, I get following in ssl_error_logs:

ip-<Some IP>.ap-south-1.compute.internal:443:0 server certificate does NOT include an ID which matches the server name

I looked on SO, and found that the hostname of the machine should match the CN in the certificate. If it does not, then SSL/TLS would fail (I believe mod_ssl checks and fails this).

My question is, I've not set the hostname of the actual somebeta.com EC2 server, but still the SSL/TLS works great. How is it happening? Does mod_ssl do some intelligence to figure that the localhost is actually pointing to somebeta.com (by doing DNS/etc) and that's why it works?

Please don't close the question too early, I understand the working of SSL/TLS in its entirety, I just need to know how the thing is being validated by mod_ssl in httpd. Does the absence or presence of ServerName directive matter always, or only sometimes?

Ouroboros
  • 1,432
  • 1
  • 19
  • 41
  • Not specifying the `ServerName` directive means that your server is going to serve up its default configuration (and the default TLS content/cert you've configured) for every request. Not really a problem unless you actually want to serve multiple domains from the same server. The client that connects to your server does hostname verification (that your site's cert matches the domain it connected to). There's no magic that `mod_ssl` is doing here. – wkl Sep 07 '17 at 07:25
  • Client does the hostname verification - does it rely on DNS mapping to do that? Also, I've read that multiple servers could use internally (after a reverse proxy) the same certificate. For that to work, each of the server has to have same hostname. Shouldn't the proxy (which acts as a client kind of) in such a case report the same error? Does it work there because we have set the ServerName directive? – Ouroboros Sep 07 '17 at 07:45
  • Could it be that the certificate CN (as described usecase in the previous comment) is a wildcard *.somename.com, and that each internal server could have a hostname like one.somename.com, two.somename.com, etc? Possible to have same hostname on multiple servers? How is this generally handled at big organisations? – Ouroboros Sep 07 '17 at 07:49

0 Answers0