We help IT Professionals succeed at work.

SSL on Apache hekp.

Hi,

Newbie with SSL certs here..

My setup is:  Ubuntu Lucid Lynx and Apache 2.

I have bought an SSL cert from rapidssl and followed these instructions: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=so13985

I already had a forum, and i just want to configure it with SSL.

in etc/apache2/sites-available i got:  

site-one (I enable it by using a2ensite site-one)

I have copied site-one  to site-one-ssl and  changed the following in the file:

NameVirtualHost *:443
<VirtualHost *:443>

 SSLEngine On
 SSLCertificateFile /etc/apache2/ssl.key/key.crt
 SSLCertificateKeyFile /etc/apache2/ssl.key/key.key
 SSLCACertificateFile /etc/apache2/ssl.key/RapidSSL_CA_bundle.crt


Now when i go a2ensite site-one-ssl i have to error, but whwn trying toi connect to it i have  certficiate page error, and this appears in the logfiles:
osqa.error.log.1:[Fri Dec 02 14:21:22 2011] [warn] RSA server certificate CommonName (CN) `RapidSSL CA' does NOT match server name!?

i dont know where  this RapidSSLCA thing came from.


anyone have an idea what this means?  Seems lke my server name was not correctly entered somewhere??




Also, How can I test the SSL version of my site witthout taking the prod site down?
Comment
Watch Question

Commented:
Hi, there could be several reasons why this error is given.

I would start by checking the key and crt using openssl  (openssl rsa -in privateKey.key -check). See what the common name is in these files. There could be a typo.

Second would be to verify if the common name (as stated in the key) is resolvable. So it should be in the hosts file of your server or in your dns.

Seeing the error I suspect the common name in the key contains 'RapidSSL CA' instead of your domain name or fully qualified server name.
Thanks,  

but this command returns  an encrypted text:
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY----
...
...
..
....


-----END RSA PRIVATE KEY-----
Commented:
You're right. Try openssl x509 -in certificate.crt -text -noout. Likewise you can add the certificate to a browser. When using view certificate it gives you the info.

Author

Commented:
I have notices the CN was diferent..  in the Certificate its  says  hub.company.com  and  my hostname was hub.


Maybe its related?
I getthis error: Unable to configure RSA server private key
Commented:
If the CN is differs from what is in your hosts file or dns then it fails. Add hub.company.hub to your hosts file (and or dns).

The error message unable to configure.. is just the first line of the complete message. This error should be followed by some openssl error message. It could be a 'key values mismatch'. That would imply the certificate and the key don't match.

Author

Commented:
I have fixed my problem. Turns out it was  my error. I id not use an "intermediate crt file.

Author

Commented:
thanks