JAaron Anderson
asked on
Apache hostname resets every reboot
I already studied EE Question 15037340 and confirmed my server is listed as <MyServer>
I already knew that much it documented about /etc/hosts but my problem is
everytime I reboot the server my hostname <MyServer> (which matches my SSL cert and works great changes back to <MyTestServer> name and now theres a internal name conflict (eek)
...
My cert is a fully trusted CA from Verisign listed as <MyServer> name.
As it worked before I just rebooted...
I cant find where in the world the original server name is still set at as<MyTestServer> ...
I am getting this error: (featured in this post's code snippet)
I already knew that much it documented about /etc/hosts but my problem is
everytime I reboot the server my hostname <MyServer> (which matches my SSL cert and works great changes back to <MyTestServer> name and now theres a internal name conflict (eek)
...
My cert is a fully trusted CA from Verisign listed as <MyServer> name.
As it worked before I just rebooted...
I cant find where in the world the original server name is still set at as<MyTestServer> ...
I am getting this error: (featured in this post's code snippet)
[Mon Mar 28 15:06:15 2011] [warn] RSA server certificate CommonName (CN) `mytestserver.mydomain.tld' does NOT match server name!?
error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
what operating system do you use? If Linux which distribution?
Is ServerName defined in your SSL/vhost configuration and matching the CommonName in your server certificate?
I think Jelcin's question is poking in the right direction. This sounds like more of a system config issue that an apache config issue.
If you have a RedHat or CentOS linux system, for instance, then you should check /etc/sysconfig/network for a line like:
HOSTNAME=<MyTestServer>
which you can change to <MyServer>.
If some other OS, please let us know.
If you have a RedHat or CentOS linux system, for instance, then you should check /etc/sysconfig/network for a line like:
HOSTNAME=<MyTestServer>
which you can change to <MyServer>.
If some other OS, please let us know.
ASKER
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.3 (Tikanga)
Red Hat Enterprise Linux Server release 5.3 (Tikanga)
ASKER
I CLI vi into /etc/sysconfig/network
and its HOSTNAME setting is right ... // that doesnt seem to change seems static
the cli command Ive been performing everytime the system reboots is:
hostname mycorrectservername
and its HOSTNAME setting is right ... // that doesnt seem to change seems static
the cli command Ive been performing everytime the system reboots is:
hostname mycorrectservername
OK, here's another approach.
What do you get as output from:
sysctl kernel.hostname
If you get MyTestServer, reset the value with:
sysctl kernel.hostname=MyServer
What do you get as output from:
sysctl kernel.hostname
If you get MyTestServer, reset the value with:
sysctl kernel.hostname=MyServer
ASKER
I CLI
sysctl kernel.hostname
and it reports fine listed properly matching my cert info...
kernel.hostname = myServer.myDomain.tld
... could it be an external firewall/DNS rediscover/rewrite or anything wild like that ?
... even in BIOS somewhere ?
sysctl kernel.hostname
and it reports fine listed properly matching my cert info...
kernel.hostname = myServer.myDomain.tld
... could it be an external firewall/DNS rediscover/rewrite or anything wild like that ?
... even in BIOS somewhere ?
An SSL certificate for Apache is going to rely on the ServerName directive in the httpd.conf matching the CommonName of the certificate and key. The hostname of the underlying operating system has nothing to do with the https transaction.
Verify the CommonName of the certificate:
Ensure that your ServerName is set in both httpd-ssl.conf and httpd-vhosts.conf and matches the CommonName.
Verify the CommonName of the certificate:
openssl x509 -in server.crt -noout -subject
Ensure that your ServerName is set in both httpd-ssl.conf and httpd-vhosts.conf and matches the CommonName.
Maybe your Apache configuration omits the ServerName directive, and that's why it's falling back to the local hostname?
If that's the case, then -- as bjbeck suggests --adding the ServerName, and making sure it matches the CommonName of your cert, will help Apache to be happy after reboots.
That still sidesteps the issue that your hostname change isn't remaining permanent.
But if Apache is happy, maybe you're no longer concerned about the machine's hostname?
If that's the case, then -- as bjbeck suggests --adding the ServerName, and making sure it matches the CommonName of your cert, will help Apache to be happy after reboots.
That still sidesteps the issue that your hostname change isn't remaining permanent.
But if Apache is happy, maybe you're no longer concerned about the machine's hostname?
ASKER
assuming httpd-ssl.conf is the equivalent to /etc/httpd/conf.d/ssl.conf file
Cant seem to run 'openssl x509 -in server.crt -noout -subject'
against SSLCertificateKeyFile /etc/pki/tls/private/local host.crt which is listed in ssl.conf
&
as for matching the CommonName in cert located at path listed in httpd.conf file
CLI [root@myRIGHTname conf]# openssl x509 -in server.crt -noout -subject
returns hostname correctly...
hmmmmmm
Cant seem to run 'openssl x509 -in server.crt -noout -subject'
against SSLCertificateKeyFile /etc/pki/tls/private/local
&
as for matching the CommonName in cert located at path listed in httpd.conf file
CLI [root@myRIGHTname conf]# openssl x509 -in server.crt -noout -subject
returns hostname correctly...
hmmmmmm
Sorry, my fault. For the key file run:
When you say it returns the hostname correctly for the certificate, are you talking about the ServerName defined in your httpd.conf or the hostname for your linux system?
The CommonName for both the certificate and key should match your ServerName in the apache configuration.
openssl x509 -in server.crt -noout -subject
When you say it returns the hostname correctly for the certificate, are you talking about the ServerName defined in your httpd.conf or the hostname for your linux system?
The CommonName for both the certificate and key should match your ServerName in the apache configuration.
Ugh, typo again. For the key file:
Sorry about that.
openssl rsa -in server.crt -noout -subject
Sorry about that.
ASKER
>>returns the hostname correctly for the certificate
I am referring to the ServerName is correctly defined in my httpd.conf
thx
:)
also
CLI openssl rsa -in my.crt -noout -subject
returns ::.
unknown option -subject
I am referring to the ServerName is correctly defined in my httpd.conf
thx
:)
also
CLI openssl rsa -in my.crt -noout -subject
returns ::.
unknown option -subject
Again, my bad. A key will not have a subject.
This may be an invalid key/cert pair...try creating a self-signed certificate and putting that in place for testing purposes. http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert
If that works then we know if we need to focus on your Verisign cert or something else.
Good luck!
This may be an invalid key/cert pair...try creating a self-signed certificate and putting that in place for testing purposes. http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert
If that works then we know if we need to focus on your Verisign cert or something else.
Good luck!
ASKER
ok so I created a 1024 bit selfsigned crt & key
I rebooted service and tailed out ssl_error_log
I got this error:
[warn] RSA server certificate CommonName (CN) `MyServerTEST.widener.edu' does NOT match server name!?
... the WRONG HOSTNAME ... :(
... so I restored the orig verisign cert and recycled httpd service
now Im back to :
SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_privat e_key:key values mismatch
hmmmmmmmm
I rebooted service and tailed out ssl_error_log
I got this error:
[warn] RSA server certificate CommonName (CN) `MyServerTEST.widener.edu'
... the WRONG HOSTNAME ... :(
... so I restored the orig verisign cert and recycled httpd service
now Im back to :
SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_privat
hmmmmmmmm
ASKER
>>If that works then we know if we need to focus on your Verisign cert or something else.
it didnt work, its something else ...
it didnt work, its something else ...
SSL problems can often be very difficult to track down.
In regards to the first error:
[warn] RSA server certificate CommonName (CN) `MyServerTEST.widener.edu' does NOT match server name
Did you modify your ServerName directive(s) in the httpd.conf to "MyServerTEST.widener.edu" ?
As for the second and original error, try these commands:
for the certificate:
for the key:
The modulus value returned should match for both.
In regards to the first error:
[warn] RSA server certificate CommonName (CN) `MyServerTEST.widener.edu'
Did you modify your ServerName directive(s) in the httpd.conf to "MyServerTEST.widener.edu"
As for the second and original error, try these commands:
for the certificate:
openssl x509 -noout -text -in <your certificate file> -modulus
for the key:
openssl rsa -noout -text -in <your key file> -modulus
The modulus value returned should match for both.
ASKER
the modulus matches in both...
and I verified the CN in the crt on the subject line and VirtualHost name in httpd.conf both reflect the CORRECT setting ... MyServerName.MyDomain.tld (no TEST in the name)
I did check alot of this but its good to go thru all the more blatant items just to count them out...
whats next to check?
and I verified the CN in the crt on the subject line and VirtualHost name in httpd.conf both reflect the CORRECT setting ... MyServerName.MyDomain.tld (no TEST in the name)
I did check alot of this but its good to go thru all the more blatant items just to count them out...
whats next to check?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
it is explicit correct.
moved over another clone instance into EMC raid and on bootup it worked fine there...
so turned on network access to it and am running that system instance instead.
but man this was a great walk thru we compiled thanks for the exercise.
moved over another clone instance into EMC raid and on bootup it worked fine there...
so turned on network access to it and am running that system instance instead.
but man this was a great walk thru we compiled thanks for the exercise.
ASKER
great hands on I appreciate the collaboration
ASKER
as far as verisign goes, I use keytool with the attached infographic approach
http://i147.photobucket.com/albums/r305/jeremyandersondotcom/2010/portfolio/sslcert_infographic.jpg
best,
Aaron
Great, glad you got it worked out! I can't really see anything that you did wrong, and I really can't explain why running from a clone filesystem would make it work...but hey, if it works!