All,We're in the process of spinning off our support department from one domain to another. This seemed simple enough, but the SSL is challenging.
I'd like to ask about a weird certificate bug that I've encountered. The issue is pretty basic -- I have an SSL cert with support.newdomain.com configured, and support.originaldomain.com configured as the CertificateAltName.
In httpd.conf I have: ServerName support.originaldomain.com ServerAlias support.newdomain.comThe cert was bought from Comodo today. Everything works as is, but for various reasons we'd like the *new* name to be the ServerName.
When I reverse those two lines, to be: ServerName support.newdomain.com ServerAlias support.originaldomain.com Apache refuses to start, with this error:[Wed Dec 18 06:58:28 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Dec 18 06:58:28 2013] [warn] RSA server certificate CommonName (CN) `COMODO SSL CA' does NOT match server name!? [Wed Dec 18 06:58:28 2013] [error] Unable to configure RSA server private key [Wed Dec 18 06:58:28 2013] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Note that I *thought* this was because I was using a unified cert/key/CA file -- but even when I broke things out to separate CertificateKeyFile/CertificateChainFile/SSLCertificateFile lines, I get this error.
The only thing I can assume is still being done here is that the RDNS of the configured IP points at the (and there are two, ipv4 and ipv6, so I'm not sure how this determination works). I'm also not sure why DNS is relied on when I'm explicitly specifying the ServerName in httpd.conf.
Adding NameVirtualHost blocks for the ip:port pairs in question didn't help, for what it's worth.
Also, I don't think this is about SNI -- there's only ONE certificate that should be served for any connection to a given ip/port pair, and SNI is about using multiple certs.
Finally, I've searched for this a lot, and it leads to a lot of people trying to suggest people are using the wrong type of cert (I'm not. If I were, I wouldn't be able to trigger this by reversing servername/serveralias)
http://www.question-defense.com/2008/10/26/rsa-server-certificate-is-a-ca-certificate-basicconstraints-ca-truehttp://serverfault.com/questions/472390/cant-make-httpd-use-correct-ssl also seems to be along the right lines, but I've been doing this for a long time and I'm sure all is right. Remember, things *break* when I set ServerName to the CommonName of the cert.
Unfortunately, reproducing this issue requires buying a $150 cert, and I can't upload my certs to a bug tracker, but I'd be happy to try anything anyone suggests.
-Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx