Our server was upgraded yesterday so it now has a more updated Ubuntu, Apache 2.4.10, PHP etc. After I put everything back, Apache started complaining about my configuration.
The server hosts a site which is using wildcards for dynamic content for different customers and contains 3 wildcard certificates for different services for these customers.
A part of the config with a wildcard looks like this:
<VirtualHost *:80> ServerName *.dashboard.example.com ServerAlias *.dashboard.example.com RewriteEngine On RewriteCond %{HTTP_HOST} ^(.+)\.dashboard.example\.com$ RewriteRule ^/(.*)$ //%1.dashboard.example.com/$1 [R=302,L] </VirtualHost> <VirtualHost *:443> ServerAdmin ServerName *.dashboard.example.com ServerAlias *.dashboard.example.com DocumentRoot /var/www/dashboard.example.com/web <Directory /> AllowOverride All Options -Indexes +MultiViews +FollowSymLinks Order Deny,Allow Allow from all </Directory> ErrorLog /var/log/apache2/dashboard.example.com-error.log CustomLog /var/log/apache2/dashboard.example.com-access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/bundle_wc_dashboard_example_com.crt SSLCertificateKeyFile /etc/ssl/certs/wildcard_dashboard_example_com.key </VirtualHost>Note that I'm using a bundle as a certificate file. Using separate files for the intermediate and root files results in an even worse result when using SSL checks. The GeoTrust certificate is then not recognised. My SSL certificate supplier explaind as of Apache 2.4, the certificates should be bundles.
So this does not work for me:
SSLCertificateFile /etc/ssl/certs/wildcard_dashboard_example_com.crt SSLCertificateKeyFile /etc/ssl/certs/wildcard_dashboard_example_com.key SSLCertificateChainFile /etc/ssl/certs/GeoTrust_Global_CA.crt SSLCertificateChainFile /etc/ssl/certs/RapidSSL_SHA256_CA_G3.crtThe above however, did work on Apache 2.2.
When I try to start apache it complains about the ServerName value:
[FAIL] Reloading web server: apache2 failed! [warn] The apache2 configtest failed. Not doing anything. ... (warning). Output of config test was: AH00526: Syntax error on line 42 of /etc/apache2/sites-enabled/3-production.conf: Invalid ServerName "*.dashboard.example.com" use ServerAlias to set multiple server names. Action 'configtest' failed. The Apache error log may have more information.So it seems the asterisk is not allowed. If I remove the asterisk, apache starts, but an error appears in the domain's error log:
Fri Mar 11 10:32:13.821304 2016] [ssl:warn] [pid 18019] AH01909: dashboard.example.com:443:0 server certificate does NOT include an ID which matches the server name
From other sources I found the following command, which should be used to determine the CommonName which should be used as ServerName:
openssl x509 -in wildcard_dashboard_example_com.crt -noout -subject
Which returns:
subject= /CN=*.dashboard.example.com
My browser does show a green lock, but SSL checks complain I'm missing an intermediate/chain certificate file (see screenshot). The same problem occurs on the same server for 2 other wildcard domains and 1 normal subdomain which isn't a wildcard. Even there apache claims server certificate does NOT include an ID which matches the server name. The site is using wildcards for dynamic content for different customers and contains 3 wildcard certificates for different services for these customers.
Any idea on how I can fix this? Anything else I can do to check what's wrong?
Update May 18 2016
I fixed this at the start of April. It appeared that the company who provided the SSL certificates gave us an old root certificate. They mailed me a zip containing both a bundled certificate and and separate certificate files. I tried installing these multiple times. Then I compared the contents of all the files manually with other sites that did work. I noticed a difference and re-downloaded the certificates manually from their site.
The GeoTrust certificate was different. After installing it everything worked like a charm. My boss told me he would contact them about this, but unfortunately this never happened. Happy it's working now anyway.
◾ Sectigo PositiveSSL ▷ 22% 가격 할인 프로모션 진행중. 자세히보기
◾ Sectigo PositiveSSL Wildcard ▷ 타사이전 50% 포인트 특별 적립 진행중. 자세히보기
Apache 에 SSL 인증서 설정 후, 웹서버 재시작시 아래와 같은 에러가 발생한다면 가장 주요 원인은, SSL 설정에서 개인키/서버인증서 각 파일 타입 설정에 맞지 않은 잘못된 타입 파일을 지정하는 경우입니다.
RSA certificate configured for xxxx.com:443 does NOT include an ID which matches the server name
원인 예)
SSLCertificateKeyFile /인증서파일경로/개인키 ex. domain_xxxxx.key.pem
SSLCertificateFile /인증서파일경로/서버인증서 ex. domain_xxxxx.crt.pem
SSLCertificateChainFile /인증서파일경로/체인인증서ex. chain-bundle.pem
SSLCACertificateFile /인증서파일경로/루트인증서 ex. AAACertificateServicesRoot.crt.pem
위와 같은 정상 설정에서, SSLCertificateKeyFile 에 서버인증서를 지정하거나 또는 SSLCertificateFile 에 루트/체인을 지정하는 등입니다. Apache 각 항목에 맞게 파일을 정확하게 지정해야 합니다. (에러 메시지 발생의 가장 흔한 원인)
위 설정값은 그대로 둔채, 실제 경로에 위치한 서버인증서 파일을 완전 삭제 했는데도, 동일한 오류 메시지가 계속 발생한다면, 위 설정은 서버에서 작동되지 않는 설정값입니다. (다른 경로의 설정이 작동하는 중)
어디에 있는 설정값이 실제로 계속 작동중인지 확인하는 방법은 따로 있지 않습니다. SSL 인증서가 설정되는 전체를 대상으로, 설정값을 하나씩 변경해 가면서 차이점 일일히 비교하여 찾아내야 합니다.
인증서 설정시 필요한 각 항목의 파일명 정보는, 발급 완료시 zip 파일내에 '발급내역서 PDF' 파일에 각 첨부 파일의 파일 타입 설명이 되어 있으므로, 설정 작업 전 필히 PDF 내용을 필히 확인해 주셔야 합니다.
참고)
Apache SSL 인증서
설치/적용 가이드
//www.sslcert.co.kr/guides/Apache-SSL-Certificate-Install