Server certificate does NOT include an ID which matches the server name

Whenever I do a graceful restart, an ssl:warn message gets put in my error log that reads:
server certificate does NOT include an ID which matches the server name

I checked /etc/apache2/sites-available/000-default-le-ssl.conf and in the VirtualHost part, it has:

ServerName videochums.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.videochums.com
SSLCertificateFile /etc/letsencrypt/live/videochums.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/videochums.com/privkey.pem

And when I examine my certificate in Firefox, it says:

Subject Name

Common Name videochums.com

Subject Alt Names

DNS Name videochums.com
DNS Name www.videochums.com

I don't understand why that warning comes up - it all seems to line up to me. Am I missing something? How can I resolve this warning? :thinking:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: videochums.com

I ran this command: N/A

It produced this output: N/A

My web server is (include version): Apache/2.4.53

The operating system my web server runs on is (include version): Debian 11.3

My hosting provider, if applicable, is: Google Cloud

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.26.0

Could you please post the entire line of the log file with that message? As far as I know, it should also point to a more specific entry, like an Apache configuration file or something like that.

2 Likes

Go for broke and show the output of:
apachectl -t -D DUMP_VHOSTS

[I'm pretty sure the problem isn't where you are looking]

1 Like

[Mon Apr 25 18:19:24.751239 2022] [ssl:warn] [pid 547:tid 140576758992192] AH01909: video-chums.us-central1-a.c.video-chums.internal:443:0 server certificate does NOT include an ID which matches the server name
That's the whole line ^

Looks like Apache pulls in the actual hostname of the server in one of the configuration files, probably default-ssl.conf or something similar, which is probably configured with some fake snakeoil certificate. Please show the output of the command suggested by Rudy :slight_smile:

2 Likes
VirtualHost configuration:
*:80                   video-chums.us-central1-a.c.video-chums.internal (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  is a NameVirtualHost
         default server videochums.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost videochums.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
                 alias www.videochums.com
         port 443 namevhost video-chums.us-central1-a.c.video-chums.internal (/etc/apache2/sites-enabled/default-ssl.conf:2)

Do you really have a cert for that FQDN?

1 Like

It's always cool to be right :sunglasses:

Anyway, that virtualhost is configured with an expired GoDaddy SSL certificate for "videochums.com" and "www.videochums.com", which is different than the hostname itself.

No, otherwise Apache wouldn't complain :wink:


So we've figured it out! Your default-ssl.conf is configured for an ancient, expired GoDaddy certificate and doesn't contain the same ServerName (probably NO ServerName) as the contents of the certificate. Which generates this error. Now you know what to do :slight_smile:

2 Likes

I see. What can I do to fix this? Also, how come that expired GoDaddy certificate doesn't seem to be used on the live site? This is all quite confusing to me.

Depends, what is your goal? Get rid of the warning? Or is you goal having a functional website?

Because you have two virtualhosts configured and the GoDaddy cert isn't used for your live site, but the Let's Encrypt certificate is.

2 Likes

Oh, ok. The website is functional so I guess my goal is to get rid of that warning.

Do you need default-ssl.conf to begin with?

2 Likes

Probably not? :thinking:

Show the file.

1 Like

Is it secure to paste the files here? Both files have a lot of the same lines in them.

Here are the differences:

default-ssl.conf

<VirtualHost _default_:443>
SSLEngine on
SSLCertificateFile /path
SSLCertificateKeyFile /path
SSLCertificateChainFile /path
Protocols h2 http/1.1
[SSLOptions settings for FilesMatch and Directory elements]

000-default-le-ssl.conf

<VirtualHost *:443>
ServerName videochums.com
Include /letsencrypt-config-path
ServerAlias www.videochums.com
SSLCertificateFile /path
SSLCertificateKeyFile /path

Edit: I'm thinking I should just comment out the SSLCertificate lines in default-ssl.conf but I'm not 100% sure. :woozy_face:

The "default-ssl.conf" file doesn't seem to do anything.
There isn't even a document root.
I would just delete it and be done with this.
[well... if you are the paranoid type, disable it or rename it or move it]

1 Like

Careful, if deleting the default-ssl.conf, make sure that SSLEngine on appears somewhere else in the HTTPS configuration (I think it does in something auto-added by Certbot, but I'm not positive).

2 Likes