RSA server certificate CommonName (CN) `example.com' does NOT match server name!?


#1

dear,

I generate my certs (certonly) on SNI server, create manually virtualhost and activate it, but on apache reload i got the following warning:

RSA server certificate CommonName (CN) `example.com’ does NOT match server name!?

After check I noticed the servername defined in virtualhost was : www.example.com.

<Virtualhost xx.xx.xx.xx::80>
	[…]
	ServerName www.example.com

This configuration have been copied from Virtualhost xx.xx.xx.xx:80

Can I should I ignore it?
Should i chang eny servername or change my certs?

Informations

  • Apache 2.2
  • Multidomain
  • 1 ip
  • 1 webroot
  • SNI

Previous post
https://community.letsencrypt.org/t/installation-on-compiled-apache-version/?source_topic_id=27597
https://community.letsencrypt.org/t/multiple-domain-1-ip-1-webroot/?source_topic_id=27597
https://community.letsencrypt.org/t/renew-certificat/?source_topic_id=27597
https://community.letsencrypt.org/t/configuration-apache-server-sni/?source_topic_id=27597


CN doen't match to serverName
#2

Just change ServerName to the domain name specified in your certificate and restart apache


#3

Do you mean change ServerName to

<Virtualhost xx.xx.xx.xx::80>
	[…]
	ServerName example.com

instead of

[…] ServerName www.example.com

?


#4

No your Vhost is configured as follows … where 1.2.3.4 is your IP address … where “yourdomainname.com” is the domain name and subdomains you requested on your certificate.

<Virtualhost 1.2.3.4:433>
	[…]
	ServerName yourdomainname.com
        ServerAlias www.yourdomainname.com

Otherwise to listen on all IP’s

<Virtualhost *:443>
	[…]
	ServerName yourdomainname.com
        ServerAlias www.yourdomainname.com

Also note you are editing the Port 80 configuration … you need make a Vhost using *:443
See below for sample configuration of an SSL host on Apache

<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/mysite/
ServerName mysite.com
ServerAlias www.mysite.com
ErrorLog ${APACHE_LOG_DIR}/mysite-error.log
CustomLog ${APACHE_LOG_DIR}/mysite-access.log
<Directory "/var/www/mysite/">
Options +Includes
Options +FollowSymLinks -Indexes
....... OTHER STUFF HERE
</Directory>
SSLCertificateFile /etc/letsencrypt/live/mysite.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/mysite.com/chain.pem
</VirtualHost>
</IfModule>
<VirtualHost *:80>
ServerName mysite.com
ServerAlias www.mysite.com
ErrorLog ${APACHE_LOG_DIR}/mysite-error.log
CustomLog ${APACHE_LOG_DIR}/mysite-access.log
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteCond %{HTTP_HOST} ^(?:www\.)?(.*)$ [NC]
        RewriteRule (.*) https://mysite.com%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

#5

No in fact my vhost are configured as follow

<Virtualhost 1.2.3.4:80>
	[…]
	ServerName www.yourdomainname.com
	ServerAlias *.yourdomainname.com yourdomainname.com
</VirtualHost>
<Virtualhost 1.2.3.4:80>
	[…]
	ServerName www.yourdomainname.com
	ServerAlias *.yourdomainname.com yourdomainname.com
</VirtualHost>

and

<Virtualhost 1.2.3.4:433>
	[…]
	ServerName www.yourdomainname.com
	ServerAlias *.yourdomainname.com yourdomainname.com
</VirtualHost>
<Virtualhost 1.2.3.4:433>
	[…]
	ServerName www.yourdomainname2.com
	ServerAlias *.yourdomainname2.com yourdomainname2.com
</VirtualHost>

And when I check apache doc it’s seem to be
https://httpd.apache.org/docs/2.2/fr/vhosts/name-based.html

ServerName www.domain.tld
ServerAlias domain.tld *.domain.tld

https://httpd.apache.org/docs/2.2/fr/mod/core.html#servername


#6

You need to follow my example, your port 443 host config comes first, then your port 80 config which simply does a redirect of all port 80 traffic to port 443.

As for ServerName

If you want to go to you site without www then

ServerName yourdomain.com
ServerAlias www.yourdomain.com somethingelse.yourdomain.com domain2.com domain3.com

If you want people to go to your site using www then

ServerName www.yourdomain.com
ServerAlias yourdomain.com somethingelse.yourdomain.com domain2.com domain3.com

You can have as many aliases as you like, but only one ServerName


#7

Ok But that’s my problem and my question
If i defined
ServerName www.yourdomain.com

I get my warning
RSA server certificate CommonName (CN)yourdomain.com’ does NOT match server name!?`

et je suis même pas sûre que le problem ne vienne pas de la configuration SNI


#8

It would be easier to work with your real domain name, so we can check and see exactly what is going on.

Is the certificate you are seeing related to a different domain on your server ? or just missing the www, so it matches your domain without the www ?


#9

When I check certificate with
"calomel ssl Valdation" extension
or
"ssleuth" extension
both of tell me my certificat are correct.

the warning only come in apache’s error_log

yourdomain1_error_log
`RSA server certificate CommonName (CN)yourdomain1.com’ does NOT match server name!?``

yourdomain2_error_log
RSA server certificate CommonName (CN)yourdomain2.com' does NOT match server name!?

yourdomain3_error_log
RSA server certificate CommonName (CN)yourdomain3.com' does NOT match server name!?

So it’s seem’s the correct certificat are served.
but it doesn’t match due to missing “www” defined in ServerName
OR
apache doesn’t check CommonName to Servername defined By vhost , but the one defined for the server (/etc/host/ or

But if I do a test on yourdomain1.com/debug.php
<?php print($_SERVER['SERVER_NAME'];
i get -» www.yourdomain1.com


#10

As above, without your real names I find it very difficult to understand and determine the issues. The domain name is public information anyway :wink: If you want to PM the config file then you can though.


#11

About the real domain name the thing is the fact that I only test during the night until everything is ok,

So Now the server are even listen 443 so you couldn’t check anything


#12

I could check what’s actually written in the files :slight_smile:


#13

Thanks I just sent it by PM


#14

This is the correct reason looking at the files.

You have a certificate with CN=yourdomain1.com and SANS of www.yourdomain1.com but your ServerName= www.yourdomain1.com

remove the www from ServerName and it should resolve your issue.


#15

thanks @serverco :slight_smile:
So I change

by

and same om :80

Do you think it could could it have any impact on Seo?


#16

It will have no effect on SEO, no.

As for the changes, not quite - no

change

<Virtualhost 1.2.3.4:443>
[…]
ServerName www.yourdomainname2.com
ServerAlias *.yourdomainname2.com yourdomainname2.com
</VirtualHost>

to

<Virtualhost 1.2.3.4:443>
[…]
ServerName yourdomainname2.com
ServerAlias www.yourdomainname2.com
</VirtualHost>

I’m assuming since the certificate is only valid for the domain an www.domain then there are no “wildcard” subdomains.


#17

Is the HTTPS virtual host using port 443 (HTTPS) or port 433 (registered for a different protocol)?


#18

It’s actually 443 - the 433 is a typo (another good reason why I asked, and resolved the issue using the real files :wink: )


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.