SSL Self signed certificate CommonName error

Hi,

My be someone can help me to figure out what's wrong with my configuration.

I'm tring to configure an https domain with a Self-Signed Certificate. After mainy different configs I still receive this error:

RSA server certificate CommonName (CN) `localhost' does NOT match server name!?

Strange I supress every where '`localhost' !

My comon name match my website address. I did a check with openssl x509 -subject -in /etc/ssl/certs/server.crt

To install and generate the certificate I did:

openssl genrsa -des3 -out server.key 1024

openssl req -new -key server.key -out server.csr

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

sudo cp server.crt /etc/ssl/certs

(FYI: here the prompt says "cp: server.crt' and/etc/ssl/certs/server.crt' are the same file" I'mnot sure what that means?)

sudo cp server.key /etc/ssl/private

What I have at this stage as as configuration is:

I'm on Ubuntu 9.10 with Apache 2.

My hosts file is:

127.0.0.1 myHostName localhost

myLinodeIp myHostName.MyWebSIte.com myHostName

The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

ff02::3 ip6-allhosts

I have as a hostname: myHostName

My ports.conf is:

NameVirtualHost myIpAddress:80

Listen 80

# SSL name based virtual hosts are not yet supported, therefore no

NameVirtualHost statement here

Listen myPort

My ssl Virtual hosts

NameVirtualHost myIp:myPort

ServerName https://myDomain.com:myPort

DocumentRoot /srv/www/myDomain.com/public_html

Options FollowSymLinks

AllowOverride None

LogLevel warn

CustomLog /var/log/apache2/ssl_access.log combined

SSLEngine on

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

SSLCertificateChainFile /etc/ssl/certs/server.crt

SSLCACertificateFile /etc/ssl/certs/server.crt

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

BrowserMatch ".MSIE." \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

Any thoughts.

Thanks alot.

Jean

2 Replies

When generating your CSR, you must properly give your FQDN (e.g. www.example.com)

> $ openssl req -new -key /tmp/test.key -out /tmp/test.csr

Enter pass phrase for /tmp/test.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

–---

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []: www.example.com[/b]

Hi Alucard. Thanks for your feedback. Yes you're correct FQDN = Comon name, which is my case.

The problem seems a bit odd. When I generated a new certificate, I was coping it to the same directory then the old one, which I allready had removed.

By some quirck of the system, it appears somethings stayed in the computer memory, throwing the message "cp: server.crt' and/etc/ssl/certs/server.crt' are the same file" and not allowing the new file to be saved. In order to avoid this behavior I just had to generate the certificate with another name.

I also rearrange a little my virtualhost config.

NameVirtualHost xxx.xx.xxx.xx:port

ServerName my.domaine.com:port

DocumentRoot /srv/www/my.domaine.com/public_html

RedirectPermanent / https://my.domaine.com

Options FollowSymLinks

AllowOverride None

SSLRequireSSL

SSLOptions +StrictRequire

Options -Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

LogLevel warn

CustomLog /var/log/apache2/ssl_access.log combined

SSLEngine on

SSLCertificateFile /etc/ssl/certs/my.domain.com.pem

SSLCertificateKeyFile /etc/ssl/private/my.domain.com.key

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

BrowserMatch ".MSIE." \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

Many thanks,

Jean

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct