| Author |
|
mewbie
Joined: 23 May 2009
Posts: 25
|
 Posted: Mon 08 Jun '09 2:12 Post subject: Typo when I created SSL Cert. How to fix? |
 |
|
using: Linux Debian / apache2-mpm-prefork 2.2.9-10+lenny2
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
I must have made a typo when creating my ssl-cert as I have this error in logs:
[Sun Jun 07 18:16:44 2009] [warn] RSA server certificate CommonName (CN) `lomysite.com' does NOT match server name!?
And on my saved cert in firefox it says lomysite.com
the 'lo' shouldn't be there, maybe it said localhost and I didn't clear it when making cert. This is how I made the cert:
mkdir /etc/apache2/ssl
/usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Thank you so much for your time |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7355
Location: Germany, Next to Hamburg
|
| Posted: Mon 08 Jun '09 10:04 Post subject: |
|
|
| I never worked with /usr/sbin/make-ssl-cert. Did you edit the ssleay.cnf ? And edit subjectAltName for your needs? |
|
| Back to top |
|
mewbie
Joined: 23 May 2009
Posts: 25
|
| Posted: Mon 08 Jun '09 14:19 Post subject: |
|
|
Thank you James Blond.
| Quote: | | Did you edit the ssleay.cnf ? And edit subjectAltName for your needs? |
I only did those steps above which prompted me to enter info like my host address, I didn't know how to maneuver in that window very well so thats why thought I must have typed wrong or didn't clear localhost fully when I typed in my mysite.com , hit ok, it exited.. and that was that.
SSL https is working. I'm just thinking I should fix this to prevent possible future problems.. (like I'm having with AjaxTerm maybe this is effecting it).
I think this where I got the info to do those commands:
http://ubuntuforums.org/archive/index.php/t-405786.html
When I try to repeat the steps (hoping I can fix it) I get permission denied.
out of curiosity after your question I took at look at the
/usr/share/ssl-cert/ssleay.cnf file and it has this only:
#
# SSLeay example configuration file.
#
RANDFILE = /dev/urandom
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
prompt = no
policy = policy_anything
[ req_distinguished_name ]
commonName = @HostName@ |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7355
Location: Germany, Next to Hamburg
|
| Posted: Tue 09 Jun '09 9:52 Post subject: |
|
|
Mine is much longer. I hat to edit
| Code: |
[ v3_ca ]
subjectAltName =
|
I posted it at http://pastebin.com/md66a33a
my build command under windows
| Code: |
@echo off
set OPENSSL_CONF=./bin/openssl.cnf
if not exist .\conf\ssl.crt mkdir .\conf\ssl.crt
if not exist .\conf\ssl.key mkdir .\conf\ssl.key
bin\openssl req -new -out server.csr
bin\openssl rsa -in privkey.pem -out server.key
bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
set OPENSSL_CONF=
REM del .rnd
REM del privkey.pem
REM del server.csr
REM move /y server.crt .\conf\ssl.crt
REM move /y server.key .\conf\ssl.key
echo.
echo -----
echo Das Zertifikat wurde erstellt.
echo The certificate was provided.
echo.
pause
|
|
|
| Back to top |
|
mewbie
Joined: 23 May 2009
Posts: 25
|
| Posted: Fri 12 Jun '09 4:43 Post subject: |
|
|
Thank you JamesBlond for your reply. 
Though I still don't understand how to edit change my host name to be correct as it's not listed in that file (/usr/share/ssl-cert/ssleay.cnf) nor is the line:
| Quote: | [ v3_ca ]
subjectAltName = |
It's not reading that mistake from there as the lomysite.com is not on that file - I pasted the unedited complete file above.
SSL is working, it's just error about not matching host name which I'm sure is because of the lomysite.com .
Thank you again
driving me crazy how to fix this.. just soooo many files/directories/confusion and seems everyone's is just a little bit different :p |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Fri 12 Jun '09 8:32 Post subject: |
|
|
| If this is just a self signed .. wouldn't it be easier to just make a new one? |
|
| Back to top |
|
mewbie
Joined: 23 May 2009
Posts: 25
|
| Posted: Sat 13 Jun '09 7:42 Post subject: |
|
|
Thx glsmith  I thought so too. So I tried to do the same cmd's as originally I used to create it, but I was denied permission. I thought to try another method but then thought:
1. The error might still be there since different method and more problems
2. & Why cant i just edit that |
|
| Back to top |
|
mewbie
Joined: 23 May 2009
Posts: 25
|
| Posted: Sat 27 Jun '09 16:11 Post subject: |
|
|
Solved it, was easy.. just being a scaredy cat.
Will post how I fixed it just in case anyone with same problem:
I renamed the file apache.pem to anything to be safe instead of deleting it. It's here:
/etc/apache2/ssl/apache.pem
Then I run the same cmd again:
/usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
It prompts me, as before, only for commonName' field of which I fixed the typo.
/etc/init.d/apache2 restart
Done, no more errors
still have non working ajaxterm though  |
|
| Back to top |
|
