[warn] RSA server certificate CommonName (CN) `yin.*" does NOT match server name!?

Hello all,

I am trying to setup my server (apache 2.0.43, opensl 0.9.6g on RedHat
7.1).

I have created a SSL server certificate using a self-made CA, and am
sure that
the Common Name in the Server Certificate und ServerName in http.conf
file are
the same "yin.fokus.gmd.de", which is identical with the host address.

I now start apache with "apachect1 startssl"and get the following message
in error_log file, but no errors in the console
---->
[Wed Jan 29 08:34:02 2003] [warn] RSA server certificate CommonName (CN)
`yin.fokus.gmd.de' does NOT match server name!?
[Wed Jan 29 08:34:03 2003] [notice] Digest: generating secret for digest
authentication ...
[Wed Jan 29 08:34:03 2003] [notice] Digest: done
[Wed Jan 29 08:34:04 2003] [warn] RSA server certificate CommonName (CN)
`yin.fokus.gmd.de' does NOT match server name!?
[Wed Jan 29 08:34:05 2003] [notice] Apache/2.0.43 (Unix) mod_ssl/2.0.43
OpenSSL/0.9.6g DAV/2 configured
-- resuming normal operations
<---

if I try and access the secure site (https://yin.fokus.gmd.de) I get the
following error message in browser
(but I can start the normal site http://yin.fokus.gmd.de):
------>
The server's certificate has an invalid signature. You will not be able
to connect to this site securely.
<------

Thanks a lot for any helps.

Best Regards,
Aihong Yin.




--







____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: [warn] RSA server certificate CommonName (CN) `yin.*" does NOT match server name!?

>-----Original Message-----
>From: Aihong Yin [mailto:yin@fokus.fraunhofer.de]
>Sent: Mittwoch, 29. Januar 2003 11:00
>To: modssl-users@modssl.org
>Subject: [warn] RSA server certificate CommonName (CN) `yin.*' does NOT
>match server name!?
>
>
>Hello all,
>
>I am trying to setup my server (apache 2.0.43, opensl 0.9.6g on RedHat
>7.1).
>
>I have created a SSL server certificate using a self-made CA, and am
>sure that
>the Common Name in the Server Certificate und ServerName in http.conf
>file are
>the same "yin.fokus.gmd.de", which is identical with the host address.

Really? Are you sure you have the line:

ServerName yin.fokus.gmd.de

in the SSL VH config?

If so, are you sure the certificate's common name is yin.fokus.gmd.de?
Don't just say "Yes", check it with:

openssl x509 -subject -in /path/to/cert

then see what "CN=" is set to.

>
>I now start apache with "apachect1 startssl"and get the
>following message
>in error_log file, but no errors in the console
>---->
>[Wed Jan 29 08:34:02 2003] [warn] RSA server certificate
>CommonName (CN)
> `yin.fokus.gmd.de' does NOT match server name!?
>[Wed Jan 29 08:34:03 2003] [notice] Digest: generating secret
>for digest
>authentication ...
>[Wed Jan 29 08:34:03 2003] [notice] Digest: done
>[Wed Jan 29 08:34:04 2003] [warn] RSA server certificate
>CommonName (CN)
>`yin.fokus.gmd.de' does NOT match server name!?
>[Wed Jan 29 08:34:05 2003] [notice] Apache/2.0.43 (Unix)
>mod_ssl/2.0.43
>OpenSSL/0.9.6g DAV/2 configured
>-- resuming normal operations
><---
>
>if I try and access the secure site (https://yin.fokus.gmd.de)
>I get the
>following error message in browser
> (but I can start the normal site http://yin.fokus.gmd.de):
>------>
>The server's certificate has an invalid signature. You will
>not be able
>to connect to this site securely.
><------

Your domain name is not in public DNS so I suppose you do this locally.
Anyway, I suppose it means that the browser cannot verify the
certificate authority who signed the cert. If it is self-signed, that is
hardly suprising. It should, however, allow you in if you just clikc
"OK" anyway.

Rgds,

Owen Boyle

>
>Thanks a lot for any helps.
>
>Best Regards,
>Aihong Yin.
>
>
>
>
>--
>
>
>
>
>
>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [warn] RSA server certificate CommonName (CN) `yin.*" does NOT match server name!?

On Wed, Jan 29, 2003 at 11:00:05AM +0100, Aihong Yin wrote:
> Hello all,
>
> I am trying to setup my server (apache 2.0.43, opensl 0.9.6g on RedHat
> 7.1).
>
> I have created a SSL server certificate using a self-made CA, and am
> sure that
> the Common Name in the Server Certificate und ServerName in http.conf
> file are
> the same "yin.fokus.gmd.de", which is identical with the host address.
>
From the error message in the subject, it would appear that you have set CN to
yin.* and not yin.fokus.gmd.de. Use openssl to verify the problem:

openssl x509 -noout -text -in server.crt

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [warn] RSA server certificate CommonName (CN) `yin.fokus.gmd.de" does NOT match server name!?

--------------050402040403090202090501
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hello Owen and Toftum,

thanks for your mail.

>>Hello all,
>>
>>I am trying to setup my server (apache 2.0.43, opensl 0.9.6g on RedHat
>>7.1).
>>
>>I have created a SSL server certificate using a self-made CA, and am
>>sure that
>>the Common Name in the Server Certificate und ServerName in http.conf
>>file are
>>the same "yin.fokus.gmd.de", which is identical with the host address.
>>
>
>Really? Are you sure you have the line:
>
> ServerName yin.fokus.gmd.de
>
>in the SSL VH config?
>
Do you mean that I should configure VirtualHost in the http.conf file?
But I think the Virtual Host is used for the case
of more than one web site running on a single machine. Is this correct?
On my Laptop there is only one web site "yin.fokus.gmd.de".
I now have tried to configure VirtualHost and it is the same error.

>If so, are you sure the certificate's common name is yin.fokus.gmd.de?
>Don't just say "Yes", check it with:
>
> openssl x509 -subject -in /path/to/cert
>
>then see what "CN=" is set to.
>

I have checked it and They are the same ("CN=" is set to "yin.fokus.gmd.de).

>
>
>>I now start apache with "apachect1 startssl"and get the
>>following message
>>in error_log file, but no errors in the console
>>---->
>>[Wed Jan 29 08:34:02 2003] [warn] RSA server certificate
>>CommonName (CN)
>>`yin.fokus.gmd.de' does NOT match server name!?
>>[Wed Jan 29 08:34:03 2003] [notice] Digest: generating secret
>>for digest
>>authentication ...
>>[Wed Jan 29 08:34:03 2003] [notice] Digest: done
>>[Wed Jan 29 08:34:04 2003] [warn] RSA server certificate
>>CommonName (CN)
>>`yin.fokus.gmd.de' does NOT match server name!?
>>[Wed Jan 29 08:34:05 2003] [notice] Apache/2.0.43 (Unix)
>>mod_ssl/2.0.43
>>OpenSSL/0.9.6g DAV/2 configured
>>-- resuming normal operations
>><---
>>
>>if I try and access the secure site (https://yin.fokus.gmd.de)
>>I get the
>>following error message in browser
>>(but I can start the normal site http://yin.fokus.gmd.de):
>>------>
>>The server's certificate has an invalid signature. You will
>>not be able
>>to connect to this site securely.
>><------
>>
>
>Your domain name is not in public DNS so I suppose you do this locally.
>
You are right. I try this on my laptop for our future projekt. Shoud I
use the IP address and not host name in the server certificate?
but it is changed frequently.

Best Regards,

Aihong Yin.









--------------050402040403090202090501
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit





Hello Owen and Toftum,



thanks for your mail.

Hello all,

I am trying to setup my server (apache 2.0.43, opensl 0.9.6g on RedHat 
7.1).

I have created a SSL server certificate using a self-made CA, and am 
sure that
the Common Name in the Server Certificate und ServerName in http.conf 
file are
the same "yin.fokus.gmd.de", which is identical with the host address.

Really? Are you sure you have the line:

	ServerName yin.fokus.gmd.de

in the SSL VH config?

If so, are you sure the certificate's common name is yin.fokus.gmd.de?
Don't just say "Yes", check it with:

	openssl x509 -subject -in /path/to/cert

then see what "CN=" is set to.

I now start apache with "apachect1 startssl"and get the 
following message
in error_log file, but no errors in the console
---->
[Wed Jan 29 08:34:02 2003] [warn] RSA server certificate 
CommonName (CN)
`yin.fokus.gmd.de' does NOT match server name!?
[Wed Jan 29 08:34:03 2003] [notice] Digest: generating secret 
for digest 
authentication ...
[Wed Jan 29 08:34:03 2003] [notice] Digest: done
[Wed Jan 29 08:34:04 2003] [warn] RSA server certificate 
CommonName (CN)
`yin.fokus.gmd.de' does NOT match server name!?
[Wed Jan 29 08:34:05 2003] [notice] Apache/2.0.43 (Unix) 
mod_ssl/2.0.43 
OpenSSL/0.9.6g DAV/2 configured
-- resuming normal operations
<---

if I try and access the secure site () 
I get the 
following error message in browser
(but I can start the normal site http://yin.fokus.gmd.de):
------>
The server's certificate has an invalid signature. You will 
not be able 
to connect to this site securely.
<------

Your domain name is not in public DNS so I suppose you do this locally.

Re: [warn] RSA server certificate CommonName (CN) `yin.*" does NOT match server name!?

Hello Owen,

After I have set ServerName in the ssl.conf file to "yin.fokus.gmd.de",
this error "[warn] RSA server certificate CommonName (CN)
`yin.fokus.gmd.de' does NOT match server name!?"does not exist in file
error_log.
It seems that I can start HTTP secure server ... ( I think that I have
misunderstood your first mail below, I have only changed the ServerName
in the file httpd.conf.)

But now when I type "https://yin.fokus.gmd.de" in my browser, and I got
the error message in Browser .
------>

The server's certificate has an invalid signature.
You will not be able to connect to this site securely.
<------

The following is the massage in error_log file.
---->
[Thu Jan 30 10:08:50 2003] [notice] Digest: generating secret for digest
authentication ...
[Thu Jan 30 10:08:50 2003] [notice] Digest: done
[Thu Jan 30 10:08:52 2003] [notice] Apache/2.0.43 (Unix) mod_ssl/2.0.43
OpenSSL/0.9.6g DAV/2 configured -- resuming normal operations
[Thu Jan 30 10:09:11 2003] [error] SSL handshake failed (server
yin.fokus.gmd.de:443, client 195.37.78.101)
[Thu Jan 30 10:09:11 2003] [error] SSL Library Error: 336151570
error:14094412:lib(20):func(148):reason(1042)
<----

Thanks for any help.

Best regards,
Aihong Yin.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org