All,
We're in the process of spinning off our support department from one
domain to another. This seemed simple enough, but the SSL is challenging.
I'd like to ask about a weird certificate bug that I've encountered. The
issue is pretty basic -- I have an SSL cert with support.newdomain.com
configured, and support.originaldomain.com configured as the
CertificateAltName.
In httpd.conf I have:
ServerName support.originaldomain.com
ServerAlias support.newdomain.com
The cert was bought from Comodo today. Everything works as is, but for
various reasons we'd like the *new* name to be the ServerName.
When I reverse those two lines, to be:
ServerName support.newdomain.com
ServerAlias support.originaldomain.com
Apache refuses to start, with this error:
[Wed Dec 18 06:58:28 2013] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Wed Dec 18 06:58:28 2013] [warn] RSA server certificate CommonName (CN)
`COMODO SSL CA' does NOT match server name!?
[Wed Dec 18 06:58:28 2013] [error] Unable to configure RSA server private
key
[Wed Dec 18 06:58:28 2013] [error] SSL Library Error: 185073780
error:0B080074:x509 certificate routines:X509_check_private_key:key values
mismatch
Note that I *thought* this was because I was using a unified cert/key/CA
file -- but even when I broke things out to separate
CertificateKeyFile/CertificateChainFile/SSLCertificateFile lines, I get
this error.
The only thing I can assume is still being done here is that the RDNS of
the configured IP points at the (and there are two, ipv4 and ipv6, so I'm
not sure how this determination works). I'm also not sure why DNS is
relied on when I'm explicitly specifying the ServerName in httpd.conf.
Adding NameVirtualHost blocks for the ip:port pairs in question didn't
help, for what it's worth.
Also, I don't think this is about SNI -- there's only ONE certificate that
should be served for any connection to a given ip/port pair, and SNI is
about using multiple certs.
Finally, I've searched for this a lot, and it leads to a lot of people
trying to suggest people are using the wrong type of cert (I'm not. If I
were, I wouldn't be able to trigger this by reversing
servername/serveralias)
http://www.question-defense.com/2008/10/26/rsa-server-certificate-is-a-ca-certificate-basicconstraints-ca-true
http://serverfault.com/questions/472390/cant-make-httpd-use-correct-ssl
also seems to be along the right lines, but I've been doing this for a
long time and I'm sure all is right. Remember, things *break* when I set
ServerName to the CommonName of the cert.
Unfortunately, reproducing this issue requires buying a $150 cert, and I
can't upload my certs to a bug tracker, but I'd be happy to try anything
anyone suggests.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
