Apache httpd conf file configuration mismatch
I have been facing a weird problem since last 3 days; I have done what was all required for me to do before posting my question here.
My httpd.conf looks like below:
NameVirtualHost *:443
Listen *:443
<VirtualHost server1.example.com:443>
ServerName server1
#ServerName server1.example.com
SSSLEngine on
</VirtualHost>
SSL applied on server1.example.com, however after everything when we go to the website it only works on ServerName server1, not on ServerName server1.example.com. We dont have server1 in any of the configuration and network file.
So when we do this https://server1.example.com/xyz/ --- it works with ServerName server1 but does not work with ServerName server1.example.com.
Where is the problem here; I am not getting it. /etc/hosts, /etc/sysconfig/network, nowhere we have server1; even in the DNS too.
Please suggest.
This is what we get in Error Log:
[Thu Nov 24 11:40:14 2016] [warn] RSA server certificate CommonName (CN) `server1.example.com' does NOT match server name!?
[Thu Nov 24 11:40:14 2016] [notice] Digest: generating secret for digest authentication ...
[Thu Nov 24 11:40:14 2016] [notice] Digest: done
[Thu Nov 24 11:40:14 2016] [notice] SSL FIPS mode disabled
[Thu Nov 24 11:40:14 2016] [warn] RSA server certificate CommonName (CN) `server1.example.com' does NOT match server name!?
[Thu Nov 24 11:40:14 2016] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Thu Nov 24 11:49:47 2016] [notice] caught SIGTERM, shutting down
[Thu Nov 24 11:49:47 2016] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Nov 24 11:49:47 2016] [notice] SSL FIPS mode disabled
[Thu Nov 24 11:49:47 2016] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Nov 24 11:49:47 2016] [warn] RSA server certificate CommonName (CN) `server1' does NOT match server name!?
[Thu Nov 24 11:49:47 2016] [notice] Digest: generating secret for digest authentication ...
[Thu Nov 24 11:49:47 2016] [notice] Digest: done
[Thu Nov 24 11:49:47 2016] [notice] SSL FIPS mode disabled
[Thu Nov 24 11:49:47 2016] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Nov 24 11:49:47 2016] [warn] RSA server certificate CommonName (CN) `server1' does NOT match server name!?
[Thu Nov 24 11:49:47 2016] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Thu Nov 24 11:55:19 2016] [notice] caught SIGTERM, shutting down
[Thu Nov 24 11:55:20 2016] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Nov 24 11:55:20 2016] [notice] SSL FIPS mode disabled
[Thu Nov 24 11:55:20 2016] [warn] RSA server certificate CommonName (CN) `server1.example.com' does NOT match server name!?
[Thu Nov 24 11:55:20 2016] [notice] Digest: generating secret for digest authentication ...
[Thu Nov 24 11:55:20 2016] [notice] Digest: done
[Thu Nov 24 11:55:20 2016] [notice] SSL FIPS mode disabled
[Thu Nov 24 11:55:20 2016] [warn] RSA server certificate CommonName (CN) `server1.example.com' does NOT match server name!?
[Thu Nov 24 11:55:20 2016] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
Solution 1:
Try
<VirtualHost *:443>
ServerName server1.example.com
ServerAlias server1
SSLEngine on
</VirtualHost>
You want the wildcard in the VirtualHost
statement to turn off IP based vhost mapping. http://httpd.apache.org/docs/2.4/vhosts/name-based.html
Note the fixed line (SSLEngine
instead of SSSLEngine
).
Solution 2:
ServerName server1.example.com
ServerAlias server1
Solution 3:
Try changing your configuration to this:
NameVirtualHost *:443
Listen *:443
<VirtualHost *:443>
ServerName server1.example.com
ServerAlias server1
SSSLEngine on
</VirtualHost>
I tend to avoid using hostnames in the VirtualHost directive. If DNS or any aspect of the hostname lookup process breaks, either on your server, or on DNS servers your server is pointing to/using, and Apache is unable to determine what server1.example.com
resolves to at initial start up, it will not load the virtual host configuration.
Secondly, ServerName
is the string presented in error pages (404 not found, 500 internal error etc) and the "primary name" for your website, so I tend to use the fully qualified hostname for ServerName
. If I then need the site to be accessed by further names, I add these (one or more) using the ServerAlias
directive (you can either have multiple lines of ServerAlias
or give more than one name per ServerAlias
line).
But since this is SSL, I highly suspect you will find there is a certificate mismatch occurring when accessing via just server1
, though this should still work if you ignore browser security warnings.