httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan Mahoney, System Admin" <d...@prime.gushi.org>
Subject [users@httpd] Certificate Bug
Date Wed, 18 Dec 2013 08:09:46 GMT
All,

We're in the process of spinning off our support department from one 
domain to another.  This seemed simple enough, but the SSL is challenging.

I'd like to ask about a weird certificate bug that I've encountered.  The 
issue is pretty basic -- I have an SSL cert with support.newdomain.com 
configured, and support.originaldomain.com configured as the 
CertificateAltName.

In httpd.conf I have:

ServerName support.originaldomain.com
ServerAlias support.newdomain.com

The cert was bought from Comodo today.  Everything works as is, but for 
various reasons we'd like the *new* name to be the ServerName.

When I reverse those two lines, to be:

ServerName support.newdomain.com
ServerAlias support.originaldomain.com

Apache refuses to start, with this error:

[Wed Dec 18 06:58:28 2013] [warn] RSA server certificate is a CA 
certificate (BasicConstraints: CA == TRUE !?)
[Wed Dec 18 06:58:28 2013] [warn] RSA server certificate CommonName (CN) 
`COMODO SSL CA' does NOT match server name!?
[Wed Dec 18 06:58:28 2013] [error] Unable to configure RSA server private 
key
[Wed Dec 18 06:58:28 2013] [error] SSL Library Error: 185073780 
error:0B080074:x509 certificate routines:X509_check_private_key:key values 
mismatch

Note that I *thought* this was because I was using a unified cert/key/CA 
file -- but even when I broke things out to separate 
CertificateKeyFile/CertificateChainFile/SSLCertificateFile lines, I get 
this error.

The only thing I can assume is still being done here is that the RDNS of 
the configured IP points at the (and there are two, ipv4 and ipv6, so I'm 
not sure how this determination works).  I'm also not sure why DNS is 
relied on when I'm explicitly specifying the ServerName in httpd.conf.

Adding NameVirtualHost blocks for the ip:port pairs in question didn't 
help, for what it's worth.

Also, I don't think this is about SNI -- there's only ONE certificate that 
should be served for any connection to a given ip/port pair, and SNI is 
about using multiple certs.

Finally, I've searched for this a lot, and it leads to a lot of people 
trying to suggest people are using the wrong type of cert (I'm not.  If I 
were, I wouldn't be able to trigger this by reversing 
servername/serveralias)

http://www.question-defense.com/2008/10/26/rsa-server-certificate-is-a-ca-certificate-basicconstraints-ca-true

http://serverfault.com/questions/472390/cant-make-httpd-use-correct-ssl 
also seems to be along the right lines, but I've been doing this for a 
long time and I'm sure all is right.  Remember, things *break* when I set 
ServerName to the CommonName of the cert.

Unfortunately, reproducing this issue requires buying a $150 cert, and I 
can't upload my certs to a bug tracker, but I'd be happy to try anything 
anyone suggests.

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message