Apache SSL: Server Cert Does Not Include ID Which Matches Server Name


Answer :

Okay, I noticed that this post is viewed quite often recently and so it seems that a lot of people are facing the same issue that I did. If so then this might help you.

I have followed a simple step-by-step tutorial to create a SSL-certification for my webserver. Like so many tutorials out there the outcome of the tutorial I followed was a self-signed certificate using OpenSSL. Yep self-signed, that was the problem. The browser could not trust the server due to it's certificate which is signed by itself. Well I wouldn't do either...

A certificate has to be signed by an external trustworthy certificate authority (CA). So I stumbled upon Let's Encrypt which does all the work for you and is even easier to set up and the best is: it is absolutely free.

Installation

1) Delete your old ssl cert files which you have created by using OpenSSL

2) Open backports to get certbot client on Debian. You should know that this will open a hole for unfinished software! Install only the packages when you are aware about what you are doing.

echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/backports.list

3) Update your linux system

sudo apt-get update

4) Install certbot

sudo apt-get install python-certbot-apache -t jessie-backports

5) Set up apache ServerName and ServerAlias

sudo nano /etc/apache2/sites-available/000-default.conf

6) Edit apache config file

<VirtualHost *:80>     . . .     ServerName example.com     ServerAlias www.example.com     . . . </VirtualHost>

7) Check for a correct syntax

sudo apache2ctl configtest

8) If the config file looks fine, restart apache server

sudo systemctl restart apache2

9) Set up a certificate using certbot and follow the instruction on screen.

sudo certbot --apache

Renewal

All certificates by Let's Encrypt are valid through 3 months. To renew the you can manually run

sudo certbot renew

Or automate this service as a cron job

sudo crontab -e

and enter the following row to invoke a renewal every Monday at 2:30 am.

. . . 30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log

You can follow a more detailled tutorial here: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8


In my case I have resolved this by replaced in my apache ssl config file for each concerned domain :

ServerName mydomain.com ServerAlias www.mydomain.com

by :

ServerName www.mydomain.com ServerAlias mydomain.com

Because my certificate is for "www.mydomain.com" and not for "mydomain.com"

complete apache file :

<IfModule mod_ssl.c> <VirtualHost *:443>     ServerAdmin noreply@mydomain.com         ServerName www.mydomain.com         ServerAlias mydomain.com     DocumentRoot /home/mydomain.com/public_html SetOutputFilter DEFLATE SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html      <Directory />         Options +FollowSymLinks         AllowOverride All     </Directory>     <Directory /home/mydomain.com/public_html>         Options -Indexes +FollowSymLinks +MultiViews         AllowOverride All         Order allow,deny         allow from all     </Directory>      ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/     <Directory "/usr/lib/cgi-bin">         AllowOverride All         Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch         Order allow,deny         Allow from all     </Directory>   ErrorLog ${APACHE_LOG_DIR}/error.log  LogLevel warn SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule>

If you are seeing no other SSL errors, and if you have tried setting 'LogLevel debug' in the httpd.conf file, this error message can also suggest 'Listen 443' is missing from the httpd.conf file.


Comments

Post a Comment

Popular posts from this blog

Chemistry - Bond Angles In NH3 And NCl3

Answer : Solution 1: As Tan Yong Boon stated, it is Bent’s Rule with which we can explain the lower bond angle of \ce N F 3 \ce{NF3} \ce NF 3 when compared to \ce N H 3 \ce{NH3} \ce N H 3 . The rule as stated by Henry Bent: Atomic s character concentrates in orbitals directed towards electropositive substituents. Fluorine is more electronegative that hydrogen, and the \ce N − F \ce{N−F} \ce N − F bond would have greater p character than the \ce N − H \ce{N−H} \ce N − H bond. And more s character leads to large bond angles. Thus, the bond angle is greater in \ce N H 3 \ce{NH3} \ce N H 3 than in \ce N F 3 \ce{NF3} \ce NF 3 . Now, consider \ce N C l 3 \ce{NCl3} \ce NCl 3 . Clearly, \ce C l \ce{Cl} \ce Cl atom islarger in size than the central atom, nitrogen. Hence the higher bond angle here is due to the steric crowding caused by \ce C l \ce{Cl} \ce Cl atoms.(More pronounced than the electrongativity of \ce C l \ce{Cl} \ce Cl atom). They repel eachother and hence b...
Read more

Are Regular VACUUM ANALYZE Still Recommended Under 9.1?

Answer : VACUUM is only needed on updated or deleted rows in non-temporary tables. Obviously you're doing lots of INSERTs but it's not obvious from the description that you're also doing lots of UPDATEs or DELETEs. These operations can be tracked with the pg_stat_all_tables view, specifically the n_tup_upd and n_tup_del columns. Also, even more to the point, there is a n_dead_tup column that tells, per table, how much rows need to be vacuumed. (see Monitoring statistics in the doc for functions and views related to statistics gathering). A possible strategy in your case would be to suppress the scheduled VACUUM, keeping an eye on this view and checking on which tables the n_dead_tup is going up significantly. Then apply the aggressive VACUUM to these tables only. This will be a win if there are large tables whose rows never get deleted nor updated and the aggressive VACUUM is really necessary only on smaller tables. But keep running the ANALYZE for the optimiz...
Read more

Change The Font Size Of Visual Studio Solution Explorer

Answer : Go to Tools->Options->Environment->Fonts and Colors In "Show Settings for" chose "Environment Font" In "Font" replace Automatic to for example, Arial and change size. Change the font size of that setting, all Font size in the Explorers (Solution Explorer, Server Explorer and Toolbox) and menus will change. You can set that in Tools, Options.
Read more