Apache SSL: Server Cert Does Not Include ID Which Matches Server Name


Answer :

Okay, I noticed that this post is viewed quite often recently and so it seems that a lot of people are facing the same issue that I did. If so then this might help you.

I have followed a simple step-by-step tutorial to create a SSL-certification for my webserver. Like so many tutorials out there the outcome of the tutorial I followed was a self-signed certificate using OpenSSL. Yep self-signed, that was the problem. The browser could not trust the server due to it's certificate which is signed by itself. Well I wouldn't do either...

A certificate has to be signed by an external trustworthy certificate authority (CA). So I stumbled upon Let's Encrypt which does all the work for you and is even easier to set up and the best is: it is absolutely free.

Installation

1) Delete your old ssl cert files which you have created by using OpenSSL

2) Open backports to get certbot client on Debian. You should know that this will open a hole for unfinished software! Install only the packages when you are aware about what you are doing.

echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/backports.list

3) Update your linux system

sudo apt-get update

4) Install certbot

sudo apt-get install python-certbot-apache -t jessie-backports

5) Set up apache ServerName and ServerAlias

sudo nano /etc/apache2/sites-available/000-default.conf

6) Edit apache config file

<VirtualHost *:80>     . . .     ServerName example.com     ServerAlias www.example.com     . . . </VirtualHost>

7) Check for a correct syntax

sudo apache2ctl configtest

8) If the config file looks fine, restart apache server

sudo systemctl restart apache2

9) Set up a certificate using certbot and follow the instruction on screen.

sudo certbot --apache

Renewal

All certificates by Let's Encrypt are valid through 3 months. To renew the you can manually run

sudo certbot renew

Or automate this service as a cron job

sudo crontab -e

and enter the following row to invoke a renewal every Monday at 2:30 am.

. . . 30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log

You can follow a more detailled tutorial here: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8


In my case I have resolved this by replaced in my apache ssl config file for each concerned domain :

ServerName mydomain.com ServerAlias www.mydomain.com

by :

ServerName www.mydomain.com ServerAlias mydomain.com

Because my certificate is for "www.mydomain.com" and not for "mydomain.com"

complete apache file :

<IfModule mod_ssl.c> <VirtualHost *:443>     ServerAdmin noreply@mydomain.com         ServerName www.mydomain.com         ServerAlias mydomain.com     DocumentRoot /home/mydomain.com/public_html SetOutputFilter DEFLATE SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html      <Directory />         Options +FollowSymLinks         AllowOverride All     </Directory>     <Directory /home/mydomain.com/public_html>         Options -Indexes +FollowSymLinks +MultiViews         AllowOverride All         Order allow,deny         allow from all     </Directory>      ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/     <Directory "/usr/lib/cgi-bin">         AllowOverride All         Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch         Order allow,deny         Allow from all     </Directory>   ErrorLog ${APACHE_LOG_DIR}/error.log  LogLevel warn SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule>

If you are seeing no other SSL errors, and if you have tried setting 'LogLevel debug' in the httpd.conf file, this error message can also suggest 'Listen 443' is missing from the httpd.conf file.


Comments

Post a Comment

Popular posts from this blog

Are Regular VACUUM ANALYZE Still Recommended Under 9.1?

Answer : VACUUM is only needed on updated or deleted rows in non-temporary tables. Obviously you're doing lots of INSERTs but it's not obvious from the description that you're also doing lots of UPDATEs or DELETEs. These operations can be tracked with the pg_stat_all_tables view, specifically the n_tup_upd and n_tup_del columns. Also, even more to the point, there is a n_dead_tup column that tells, per table, how much rows need to be vacuumed. (see Monitoring statistics in the doc for functions and views related to statistics gathering). A possible strategy in your case would be to suppress the scheduled VACUUM, keeping an eye on this view and checking on which tables the n_dead_tup is going up significantly. Then apply the aggressive VACUUM to these tables only. This will be a win if there are large tables whose rows never get deleted nor updated and the aggressive VACUUM is really necessary only on smaller tables. But keep running the ANALYZE for the optimiz
Read more

Can Feynman Diagrams Be Used To Represent Any Perturbation Theory?

Answer : Diagram machinery works also for perturbation theory in classical statistical mechanics and classical field theories. Generally, various kinds of diagrams constitute a pictorial way of talking about tensor products and their contractions while hiding the multi-linear algebra from the layman. In the simplest case, vertices (or blobs) represent vectors, matrices, tensors; vertices have ingoing and/or outgoing ports; ingoing ports denote (contravariant) ro indices; outgoing ports denote (covariant) co indices; directed arcs between blobs give a pair of equal indices summed over; different base spaces ⇔ \Leftrightarrow ⇔ different arc types; symmetric tensors ⇔ \Leftrightarrow ⇔ undirected diagrams; no labels are needed for internal lines. In many cases, the directed arcs are decorated (as thin, thick, broken,wavy, curly lines), each decoration indicating the presence of a so-called propagator, a function of its label to use as a weight in the sum, which may beco
Read more