All fine but Apache error log: certificate does not include an ID which matches server name


#1

Hello!
I have successfully installed letsencrypt certificate for my apache webserver on debian: it was super easy and works great!
The only problem is that I get a warning message in the error.log:

www.mattia.xxx:443:0 server certificate does NOT include an ID which matches the server name

I have tried

$ sudo openssl x509 -in /etc/letsencrypt/live/www.mattia.xxx/cert.pem -noout -subject

and it gives me:

subject= /CN=www.mattia.xxx

My /etc/apache2/apache2.conf at line 2 has:

ServerName www.mattia.xxx

my sites-enabled/default-ssl.conf which has (among other things):

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName www.mattia.xxx
    SSLCertificateFile    /etc/letsencrypt/live/www.mattia.xxx/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.mattia.xxx/privkey.pem
    SSLCertificateChainFile    /etc/letsencrypt/live/www.mattia.xxx/fullchain.pem
ServerAlias www.mattia.xxx
ServerAlias mattia.xxx
</VirtualHost>
</IfModule>

I have noticed that the server name in the error log is taken from /etc/apache2/apache2.conf (I have tried changing www.mattia.xxx to mattia.xxx in there and the error log changed accordingly, while changing the ServerName variable in default-ssl.conf had no effect there).

I cannot understand what the problem is. Any help would be appreciated.

Thanks!


#2

Could you perhaps have multiple SSLCertificateFile directives somewhere in your configurations? Check for example with:

grep -Ri SSLCertificateFile /etc/apache2/*


#3

Thank you for the reply. I would say no: all other certificate files are either commented out or only in sites-available (but not enabled)

/etc/apache2/sites-available/default-ssl.conf.dpkg-new:        #   SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf.dpkg-new:        SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf.dpkg-new:        #   the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/default-ssl.conf:    #   SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf:    SSLCertificateFile    /etc/letsencrypt/live/www.mattia.xxx/cert.pem
/etc/apache2/sites-available/default-ssl.conf:#    SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf:    #   the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/owncloud:    #   SSLCertificateFile directive is needed.
/etc/apache2/sites-available/owncloud:    SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/owncloud:    #   the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-enabled/default-ssl.conf:    #   SSLCertificateFile directive is needed.
/etc/apache2/sites-enabled/default-ssl.conf:    SSLCertificateFile    /etc/letsencrypt/live/www.mattia.xxx/cert.pem
/etc/apache2/sites-enabled/default-ssl.conf:#    SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-enabled/default-ssl.conf:    #   the referenced file can be the same as SSLCertificateFile

#4

Perhaps some lone ServerName somewhere?


#5

Same thing:

/etc/apache2/apache2.conf:ServerName www.mattia.xxx
/etc/apache2/mods-available/status.conf:    # with the URL of http://servername/server-status
/etc/apache2/mods-available/info.conf:    #  http://servername/server-info (requires that mod_info.c be loaded).
/etc/apache2/mods-enabled/status.conf:    # with the URL of http://servername/server-status
/etc/apache2/sites-available/default-ssl.conf:    ServerName www.mattia.xxx
/etc/apache2/sites-available/000-default.conf.dpkg-new:    # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/000-default.conf.dpkg-new:    # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/000-default.conf.dpkg-new:    #ServerName www.example.com
/etc/apache2/sites-enabled/default-ssl.conf:    ServerName www.mattia.xxx

Could it have to do with /etc/hosts:

127.0.0.1    localhost
127.0.1.1    okovita mattia.xxx
# The following lines are desirable for IPv6 capable hosts
[...]

or /etc/hostname:

okovita
mattia.xxx

I don’t think so but…


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.