Hi I'm trying to renew my SSL certificate and Apache refuses to start when I change the paths to the new certificate file. I'm running Apache 2.2 on CentOS 6.6.
When I try to start Apache this is in /var/log/httpd/ssl_error_log:
[Sun Dec 07 20:00:29 2014] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Dec 07 20:00:29 2014] [warn] RSA server certificate CommonName (CN) `proposify' does NOT match server name!?
It's a wildcard certificate for *.domain.com (same as before). What am I doing wrong?
Thanks!
[ edit ]
One thing I noticed is in the new private key has more info at the top and the old one just has the key. Should I remove the info so the actual key starts under -----BEGIN RSA PRIVATE KEY-----?
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: NUMBER,NUMBER
... long string of numbers/chars ....
The original files were in:
/etc/httpd/conf.d/ssl/domain.com
The new files are in:
/etc/httpd/conf.d/ssl/domain
So in my VHOST all I'm doing is removing the ".com" in the key, certificate, and chainfile entries. The private key, certificate, and intermediate certificate all have the same names as before. I ran cat on them all to confirm they have the correct contents.
Answer
... to renew my SSL certificate ...
[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[warn] RSA server certificate CommonName (CN) `proposify' does NOT match server name!?
It's a wildcard certificate for *.domain.com (same as before). What am I doing wrong?
Your statements do not match with the error messages. Since you are renewing the certificate is probably not self-signed, so it should not be a CA certificate as shown by the warning message. Also, the second warning shows that the certficate does not seem to match the hostname.
Please check the contents of your certificate files with openssl x509 -text or similar tools.
No comments:
Post a Comment