3

I have an apache installation with some name-based vhosts and a SSL certficate with CN=maindomain.com and DNS Alternative Names for the all the vhosts (sub)domains.

However, this setup gives warnings in the logs in the form:

[Fri Jan 03 16:52:38 2014] [warn] RSA server certificate CommonName (CN) `maindomain.com' does NOT match server name!?
[Fri Jan 03 16:52:38 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

While working, I should say that Name-based SSL vhosts are irrelevant because the certificate is for all vhosts. Furthermore I would say the CN matches the main ServerName. Is there any way to fix this and clear the logs?

Distilled configuration is as follows:

Servername maindomain.com

<VirtualHost *:80>
    ServerName www.maindomain.com
    DocumentRoot /var/www/www.maindomain.com/public_html/
</VirtualHost>
<VirtualHost *:443>
    ServerName www.maindomain.com
    Include ssl.vhost.conf
    DocumentRoot /var/www/www.maindomain.com/public_html/
</VirtualHost>

<VirtualHost *:80>
    ServerName altdomain.com
    DocumentRoot /var/www/altdomain.com/public_html/
</VirtualHost>
<VirtualHost *:443>
    ServerName altdomain.com
    Include ssl.vhost.conf
    DocumentRoot /var/www/altdomain.com/public_html/
</VirtualHost>
# More vhosts in the same way, sometimes tld's sometimes subdomains

And ssl.vhost.conf as follows:

SSLEngine ON
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

SSLCertificateFile      /etc/certificates/maindomain.com.crt
SSLCertificateKeyFile   /etc/certificates/maindomain.com.key
SSLCertificateChainFile /etc/certificates/ca-intermediate.crt
SSLCACertificateFile    /etc/certificates/ca.crt
Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
dtech
  • 987
  • 2
  • 9
  • 14
  • Is your certificate a wildcard certificate, i.e. with a `CN=*.maindomain.com` in the subject? If not, it looks like it may be for the **exact** FQDN ‘maindomain.com’, and won't match ‘www.maindomain.com’. You can check the certificate subject with `openssl x509 -text -in /path/to/maindomain.cert | grep Subject:` – Alexios Jan 05 '14 at 12:45
  • It is a wildcard certificate but its CN is maindomain.com (*.maindomain.com in the alternative names), but the same errors are there when the CN=*.maindomain.com (because the servername is www.maindomain.com) – dtech Jan 05 '14 at 15:17

1 Answers1

2

Not sure if apache can read SANs.. This is still on their to do list I guess, that's why it's only a warning that may be safely ignored and I am not sure again if it is fixable. It may depend on your distro. Some say that removing default_host fixes this issue but then again that might be for those without SANs.

Mister
  • 21
  • 2
  • This has been my experience. We've safely ignored the warning messages. It seems Apache is trying to be helpful by alerting you to the fact that it detected the certificates CommonName doesn't match the ServerName set in the VirtualHost block. – paperclip Jan 08 '15 at 08:59