Domain Name Mismatch

This is a multi-part message in MIME format.

------_=_NextPart_001_01C4FA54.9D5F4000
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Greetings All,

After much scouring of the web (modssl mailing list archives,
newsgroups, websites) I can't seem to find a resolution to my problem.
I've built apache_1.3.33, mod_ssl-2.8.22-1.3.33 and mm-1.3.1 as per the
modssl INSTALL doc, section b (the flexible APACI-only way). Modssl is
built and loaded as a DSO. I have a Verisign global certificate that
I've installed, along with the appropriate intermediate certificate
(SSLCertificateChainFile). I have also installed the root CA certs as
well (SSLCACertificateFile).

Here is my problem. When I navigate to the site (FQDN, not IP), via a
browser (IE, Firefox, Mozilla...), I get a Domain Name Mismatch error
reported by the browser. When I view the certificate, it shows that the
CN matches the FQDN of the website, exactly. The website is
www.myhost.domain.com and the CN that I used to create the cert is also
www.myhost.domain.com. There is no mismatch between the FQDN of the site
and the CN in the cert, yet the browser thinks there is. I can do a
forward and reverse lookup on the FQDN and it's corresponding IP and
both are correct, so this leads me to believe it's not a DNS issue. I
viewed the cert in IE and checked the certificate path (3rd tab). The
certificate status of all three certs (root, intermediate and my cert)
is reported as 'OK'. The intermediate and root CA's also load with no
errors (verified in the ssl_engine_log). This leads me to believe it's
not a chaining problem. I've also tried creating and signing my own cert
for testing purposes and I have the same issue, so that leads me to
believe it's not a cert issue. I've also verified the csr, cert and key
and they all match up.=20

I'm at a loss here, so any help would be greatly appreciated. From all
my research and what I've read, my error should really only stem from
not using the FQDN of the site when creating the csr, but this is not
the case. I quadruple checked it and I've created test certs as well,
with the same results. Has anyone had a similar problem? Any suggestions
on apache server config? I've even tried it with the most basic SSL
options enabled in my httpd.conf file that would allow the hosting of an
SSL enabled site. Thanks for your time and suggestions!

Regards,
Scott Haskell
Solaris SA, Merrill Lynch Pro, San Francisco
--------------------------------------------------------

If you are not an intended recipient of this e-mail, please notify the =
sender, delete it and do not read, act upon, print, disclose, copy, =
retain or redistribute it. Click here for important additional terms =
relating to this e-mail. http://www.ml.com/email_terms/
--------------------------------------------------------

------_=_NextPart_001_01C4FA54.9D5F4000
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable



charset=3DUTF-16">

charset=3DUTF-16">
charset=3Dus-ascii">
6.0.6603.0">

style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">

----- Original Message -----

style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black">From:=20
href=3D"mailto:scott_haskell@ml.com">Haskell,=20
Scott (MLPRO SF)

To: title=3Dmodssl-users@modssl.org=20
href=3D"mailto:modssl-users@modssl.org">modssl-users@modssl. org =

Sent: Friday, January 14, 2005 =
11:17=20
AM

Subject: Domain Name =
Mismatch

Greetings All,

After much scouring of the web (modssl =
mailing list=20
archives, newsgroups, websites) I can't seem to find a resolution to =
my=20
problem. I've built apache_1.3.33, mod_ssl-2.8.22-1.3.33 and mm-1.3.1 =
as per=20
the modssl INSTALL doc, section b (the flexible APACI-only way). =
Modssl is=20
built and loaded as a DSO. I have a Verisign global certificate that =
I've=20
installed, along with the appropriate intermediate certificate=20
(SSLCertificateChainFile). I have also installed the root CA certs as =
well=20
(SSLCACertificateFile).

Here is my problem. When I navigate to =
the site=20
(FQDN, not IP), via a browser (IE, Firefox, Mozilla=85), I get a =
Domain Name=20
Mismatch error reported by the browser. When I view the certificate, =
it shows=20
that the CN matches the FQDN of the website, exactly. The website is =
href=3D"file://www.myhost.domain.com"> color=3D#0000ff=20
size=3D2>www.myhost.domain.com size=3D2> and the CN=20
that I used to create the cert is also href=3D"file://www.myhost.domain.com"> color=3D#0000ff=20
size=3D2>www.myhost.domain.com size=3D2>. There is=20
no mismatch between the FQDN of the site and the CN in the cert, yet =
the=20
browser thinks there is. I can do a forward and reverse lookup on the =
FQDN and=20
it's corresponding IP and both are correct, so this leads me to =
believe it's=20
not a DNS issue. I viewed the cert in IE and checked the certificate =
path (3rd=20
tab). The certificate status of all three certs (root, intermediate =
and my=20
cert) is reported as 'OK'. The intermediate and root CA's also load =
with no=20
errors (verified in the ssl_engine_log). This leads me to believe it's =
not a=20
chaining problem. I've also tried creating and signing my own cert for =
testing=20
purposes and I have the same issue, so that leads me to believe it's =
not a=20
cert issue. I've also verified the csr, cert and key and they all =
match up.=20

I'm at a loss here, so any help would =
be greatly=20
appreciated. From all my research and what I've read, my error should =
really=20
only stem from not using the FQDN of the site when creating the csr, =
but this=20
is not the case. I quadruple checked it and I've created test certs as =
well,=20
with the same results. Has anyone had a similar problem? Any =
suggestions on=20
apache server config? I've even tried it with the most basic SSL =
options=20
enabled in my httpd.conf file that would allow the hosting of an SSL =
enabled=20
site. Thanks for your time and suggestions!

Regards,
size=3D2>Scott=20
Haskell
Solaris SA, Merrill =
Lynch Pro, San=20
Francisco

---

If you are not an intended recipient of this e-mail, please =
notify the=20
sender, delete it and do not read, act upon, print, disclose, copy, =
retain or=20
redistribute it. Click here =
for=20
important additional terms relating to this =
e-mail.     =
href=3D"http://www.ml.com/email_terms/">http://www.ml.com/em ail_terms/ >

---

RE: Domain Name Mismatch

This is a multi-part message in MIME format.

------_=_NextPart_001_01C4FF1A.FC11C2B8
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Just a follow-up incase anyone was interested in my problem. I contacted
Verisign and we came to the conclusion that the web browser was
complaining due to an alternate CN that was added to the certificate.
The Verisign employee told me that although it's well within the x509
standards to use alternates in certificates, browsers seem to complain
about them a lot. So beware if you plan on using an alternate name on
your certificate, it may give you a domain name mismatch error.

Scott

> -----Original Message-----
> From: Haskell, Scott (MLPRO SF) =20
> Sent: Friday, January 14, 2005 8:18 AM
> To: 'modssl-users@modssl.org'
> Subject: Domain Name Mismatch
>=20
> Greetings All,
>=20
> After much scouring of the web (modssl mailing list archives,
> newsgroups, websites) I can't seem to find a resolution to my problem.
> I've built apache_1.3.33, mod_ssl-2.8.22-1.3.33 and mm-1.3.1 as per
> the modssl INSTALL doc, section b (the flexible APACI-only way).
> Modssl is built and loaded as a DSO. I have a Verisign global
> certificate that I've installed, along with the appropriate
> intermediate certificate (SSLCertificateChainFile). I have also
> installed the root CA certs as well (SSLCACertificateFile).
>=20
> Here is my problem. When I navigate to the site (FQDN, not IP), via a
> browser (IE, Firefox, Mozilla...), I get a Domain Name Mismatch error
> reported by the browser. When I view the certificate, it shows that
> the CN matches the FQDN of the website, exactly. The website is
> www.myhost.domain.com and the CN that I used to create the cert is
> also www.myhost.domain.com. There is no mismatch between the FQDN of
> the site and the CN in the cert, yet the browser thinks there is. I
> can do a forward and reverse lookup on the FQDN and it's corresponding
> IP and both are correct, so this leads me to believe it's not a DNS
> issue. I viewed the cert in IE and checked the certificate path (3rd
> tab). The certificate status of all three certs (root, intermediate
> and my cert) is reported as 'OK'. The intermediate and root CA's also
> load with no errors (verified in the ssl_engine_log). This leads me to
> believe it's not a chaining problem. I've also tried creating and
> signing my own cert for testing purposes and I have the same issue, so
> that leads me to believe it's not a cert issue. I've also verified the
> csr, cert and key and they all match up.=20
>=20
> I'm at a loss here, so any help would be greatly appreciated. From all
> my research and what I've read, my error should really only stem from
> not using the FQDN of the site when creating the csr, but this is not
> the case. I quadruple checked it and I've created test certs as well,
> with the same results. Has anyone had a similar problem? Any
> suggestions on apache server config? I've even tried it with the most
> basic SSL options enabled in my httpd.conf file that would allow the
> hosting of an SSL enabled site. Thanks for your time and suggestions!
>=20
> Regards,
> Scott Haskell
> Solaris SA, Merrill Lynch Pro, San Francisco
--------------------------------------------------------

If you are not an intended recipient of this e-mail, please notify the =
sender, delete it and do not read, act upon, print, disclose, copy, =
retain or redistribute it. Click here for important additional terms =
relating to this e-mail. http://www.ml.com/email_terms/
--------------------------------------------------------

------_=_NextPart_001_01C4FF1A.FC11C2B8
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable



charset=3DUTF-16">

charset=3DUTF-16">
charset=3Dus-ascii">
6.0.6603.0">