Link to home
Create AccountLog in
Avatar of JAaron Anderson
JAaron AndersonFlag for United States of America

asked on

Apache hostname resets every reboot

I already studied EE Question 15037340 and confirmed my server is listed as <MyServer>
I already knew that much it documented about /etc/hosts but my problem is
everytime I reboot the server my hostname <MyServer> (which matches my SSL cert and works great changes back to <MyTestServer> name and now theres a internal name conflict (eek)
...
My cert is a fully trusted CA from Verisign listed as <MyServer> name.
As it worked before I just rebooted...
I cant find where in the world the original server name is still set at as<MyTestServer> ...
I am getting this error: (featured in this post's code snippet)

[Mon Mar 28 15:06:15 2011] [warn] RSA server certificate CommonName (CN) `mytestserver.mydomain.tld' does NOT match server name!?

error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Open in new window

Avatar of Josef Pospisil
Josef Pospisil
Flag of Germany image

what operating system do you use? If Linux which distribution?
Is ServerName defined in your SSL/vhost configuration and matching the CommonName in your server certificate?
I think Jelcin's question is poking in the right direction.  This sounds like more of a system config issue that an apache config issue.

If you have a RedHat or CentOS linux system, for instance, then you should check /etc/sysconfig/network for a line like:
 HOSTNAME=<MyTestServer>
which you can change to <MyServer>.
If some other OS, please let us know.
Avatar of JAaron Anderson

ASKER

cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.3 (Tikanga)

I  CLI vi into /etc/sysconfig/network
and its HOSTNAME setting is right ... // that doesnt seem to change seems static

the cli command Ive been performing everytime the system reboots is:

hostname mycorrectservername



OK, here's another approach.
What do you get as output from:
 sysctl kernel.hostname

If you get MyTestServer, reset the value with:
 sysctl kernel.hostname=MyServer
I CLI
sysctl kernel.hostname
and it reports fine listed properly matching my cert info...

kernel.hostname = myServer.myDomain.tld

... could it be an external firewall/DNS rediscover/rewrite or anything wild like that ?
... even in BIOS somewhere ?



An SSL certificate for Apache is going to rely on the ServerName directive in the httpd.conf matching the CommonName of the certificate and key.  The hostname of the underlying operating system has nothing to do with the https transaction.

Verify the CommonName of the certificate:

openssl x509 -in server.crt -noout -subject

Open in new window


Ensure that your ServerName is set in both httpd-ssl.conf and httpd-vhosts.conf and matches the CommonName.
Maybe your Apache configuration omits the ServerName directive, and that's why it's falling back to the local hostname?
If that's the case, then -- as bjbeck suggests --adding the ServerName, and making sure it matches the CommonName of your cert, will help Apache to be happy after reboots.

That still sidesteps the issue that your hostname change isn't remaining permanent.
But if Apache is happy, maybe you're no longer concerned about the machine's hostname?
assuming httpd-ssl.conf is the equivalent to /etc/httpd/conf.d/ssl.conf file

Cant seem to run 'openssl x509 -in server.crt -noout -subject'
against SSLCertificateKeyFile /etc/pki/tls/private/localhost.crt which is listed in ssl.conf


&

as for matching the CommonName in cert located at path listed in httpd.conf file
CLI [root@myRIGHTname conf]# openssl x509 -in server.crt -noout -subject  
returns hostname correctly...

hmmmmmm
Sorry, my fault.  For the key file run:

openssl x509 -in server.crt -noout -subject

Open in new window


When you say it returns the hostname correctly for the certificate, are you talking about the ServerName defined in your httpd.conf or the hostname for your linux system?

The CommonName for both the certificate and key should match your ServerName in the apache configuration.  
Ugh, typo again.  For the key file:

openssl rsa -in server.crt -noout -subject

Open in new window


Sorry about that.
>>returns the hostname correctly for the certificate
I am referring to the ServerName is correctly defined in my httpd.conf

thx
:)


also

CLI openssl rsa -in my.crt -noout -subject
returns ::.
unknown option -subject
Again, my bad.  A key will not have a subject.

This may be an invalid key/cert pair...try creating a self-signed certificate and putting that in place for testing purposes.  http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert

If that works then we know if we need to focus on your Verisign cert or something else.

Good luck!
ok so I created a 1024 bit selfsigned crt & key

I rebooted service and tailed out ssl_error_log

I got this error:
[warn] RSA server certificate CommonName (CN) `MyServerTEST.widener.edu' does NOT match server name!?

... the WRONG HOSTNAME ... :(

... so I restored the orig verisign cert and recycled httpd service

now Im back to :
SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

hmmmmmmmm
>>If that works then we know if we need to focus on your Verisign cert or something else.

it didnt work, its something else ...
SSL problems can often be very difficult to track down.

In regards to the first error:
[warn] RSA server certificate CommonName (CN) `MyServerTEST.widener.edu' does NOT match server name
Did you modify your ServerName directive(s) in the httpd.conf to "MyServerTEST.widener.edu"?  

As for the second and original error, try these commands:

for the certificate:
openssl x509 -noout -text -in <your certificate file> -modulus

Open in new window


for the key:
openssl rsa -noout -text -in <your key file> -modulus

Open in new window


The modulus value returned should match for both.

the modulus matches in both...

and I verified the CN in the crt on the subject line and VirtualHost name in httpd.conf both reflect the CORRECT setting ... MyServerName.MyDomain.tld (no TEST in the name)

I did check alot of this but its good to go thru all the more blatant items just to count them out...

whats next to check?
ASKER CERTIFIED SOLUTION
Avatar of bjbeck
bjbeck
Flag of Germany image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
it is explicit correct.
moved over another clone instance into EMC raid and on bootup it worked fine there...
so turned on network access to it and am running that system instance instead.

but man this was a great walk thru we compiled thanks for the exercise.
great hands on I appreciate the collaboration


as far as verisign goes, I use keytool with the attached infographic approach
http://i147.photobucket.com/albums/r305/jeremyandersondotcom/2010/portfolio/sslcert_infographic.jpg

best,
Aaron
Great, glad you got it worked out!  I can't really see anything that you did wrong, and I really can't explain why running from a clone filesystem would make it work...but hey, if it works!