httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan Mahoney, System Admin" <>
Subject [users@httpd] Certificate Bug
Date Wed, 18 Dec 2013 08:09:46 GMT

We're in the process of spinning off our support department from one 
domain to another.  This seemed simple enough, but the SSL is challenging.

I'd like to ask about a weird certificate bug that I've encountered.  The 
issue is pretty basic -- I have an SSL cert with 
configured, and configured as the 

In httpd.conf I have:


The cert was bought from Comodo today.  Everything works as is, but for 
various reasons we'd like the *new* name to be the ServerName.

When I reverse those two lines, to be:


Apache refuses to start, with this error:

[Wed Dec 18 06:58:28 2013] [warn] RSA server certificate is a CA 
certificate (BasicConstraints: CA == TRUE !?)
[Wed Dec 18 06:58:28 2013] [warn] RSA server certificate CommonName (CN) 
`COMODO SSL CA' does NOT match server name!?
[Wed Dec 18 06:58:28 2013] [error] Unable to configure RSA server private 
[Wed Dec 18 06:58:28 2013] [error] SSL Library Error: 185073780 
error:0B080074:x509 certificate routines:X509_check_private_key:key values 

Note that I *thought* this was because I was using a unified cert/key/CA 
file -- but even when I broke things out to separate 
CertificateKeyFile/CertificateChainFile/SSLCertificateFile lines, I get 
this error.

The only thing I can assume is still being done here is that the RDNS of 
the configured IP points at the (and there are two, ipv4 and ipv6, so I'm 
not sure how this determination works).  I'm also not sure why DNS is 
relied on when I'm explicitly specifying the ServerName in httpd.conf.

Adding NameVirtualHost blocks for the ip:port pairs in question didn't 
help, for what it's worth.

Also, I don't think this is about SNI -- there's only ONE certificate that 
should be served for any connection to a given ip/port pair, and SNI is 
about using multiple certs.

Finally, I've searched for this a lot, and it leads to a lot of people 
trying to suggest people are using the wrong type of cert (I'm not.  If I 
were, I wouldn't be able to trigger this by reversing 
also seems to be along the right lines, but I've been doing this for a 
long time and I'm sure all is right.  Remember, things *break* when I set 
ServerName to the CommonName of the cert.

Unfortunately, reproducing this issue requires buying a $150 cert, and I 
can't upload my certs to a bug tracker, but I'd be happy to try anything 
anyone suggests.



--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message