RSA certificate does NOT include an ID which matches the server name

[NotionCommotion]

I obtained a ssl certificate from sslforfree for four domains provided in this order: example.com www.example.com api.example.com admin.example.com.

 

When starting Apache, I get the following errors.  Furthermore, https://example.com/ does not redirect, and the browser shows it as both not being secure and displays the default Apache test page.

[Thu May 25 13:13:48.993879 2017] [ssl:warn] [pid 2817] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Thu May 25 13:13:49.022097 2017] [ssl:warn] [pid 2817] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name

It is a brand new Apache 2.4 install with Centos7, and the only change to the config files is that I included IncludeOptional sites-enabled/*.conf in /etc/httpd/conf/httpd.conf.

 

Please review my config file and let me know where I am going astray.

 

Thank you

[root@example sites-available]# hostname
example.com
[root@example sites-available]# openssl x509 -in /etc/pki/tls/certs/certificate.crt -noout -subject
subject= /CN=example.com
[root@example sites-available]# httpd -S
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server example.com (/etc/httpd/sites-enabled/corperate.conf:1)
         port 80 namevhost example.com (/etc/httpd/sites-enabled/corperate.conf:1)
                 alias www.example.com
         port 80 namevhost api.example.com (/etc/httpd/sites-enabled/api.conf:1)
         port 80 namevhost admin.example.com (/etc/httpd/sites-enabled/admin.conf:1)
*:443                  is a NameVirtualHost
         default server example.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost example.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost example.com (/etc/httpd/sites-enabled/corperate.conf:6)
         port 443 namevhost www.example.com (/etc/httpd/sites-enabled/corperate.conf:10)
         port 443 namevhost api.example.com (/etc/httpd/sites-enabled/api.conf:5)
         port 443 namevhost admin.example.com (/etc/httpd/sites-enabled/admin.conf:5)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
[root@example sites-available]# ls -l
total 12
-rw-r--r-- 1 root root  806 May 25 12:58 corperate.conf
-rw-r--r-- 1 root root  678 May 25 12:42 admin.conf
-rw-r--r-- 1 root root 1116 May 25 12:53 api.conf
[root@example sites-available]# cat *
<VirtualHost *:80>
        ServerName example.com
        ServerAlias www.example.com
        Redirect permanent / https://www.example.com/
</VirtualHost>
<VirtualHost *:443>
        ServerName example.com
        Redirect permanent / https://www.example.com/
</VirtualHost>
<VirtualHost *:443>
    ServerName www.example.com
    DocumentRoot /var/www/corperate/html
    SSLEngine on
    SSLCertificateFile "/etc/pki/tls/certs/certificate.crt"
    SSLCertificateKeyFile "/etc/pki/tls/private/private.key"
    SSLCACertificateFile "/etc/pki/tls/certs/ca_bundle.crt"
    <Directory "/var/www/corperate/html">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
        RewriteEngine On
    </Directory>
</VirtualHost>
<VirtualHost *:80>
        ServerName admin.example.com
        Redirect permanent / https://admin.example.com/
</VirtualHost>
<VirtualHost *:443>
    ServerName admin.example.com
    DocumentRoot /var/www/admin/public
    SSLEngine on
    SSLCertificateFile "/etc/pki/tls/certs/certificate.crt"
    SSLCertificateKeyFile "/etc/pki/tls/private/private.key"
    SSLCACertificateFile "/etc/pki/tls/certs/ca_bundle.crt"
    <Directory "/var/www/admin/public">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
        RewriteEngine On
    </Directory>
</VirtualHost>
<VirtualHost *:80>
        ServerName api.example.com
        Redirect permanent / https://api.example.com/
</VirtualHost>
<VirtualHost *:443>
    ServerName api.example.com
    DocumentRoot /var/www/api/public
    SSLEngine on
    SSLCertificateFile "/etc/pki/tls/certs/certificate.crt"
    SSLCertificateKeyFile "/etc/pki/tls/private/private.key"
    SSLCACertificateFile "/etc/pki/tls/certs/ca_bundle.crt"
    <Directory "/var/www/api/public">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
        RewriteEngine On
        Header set Access-Control-Allow-Origin "*"
        Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
        Header set Access-Control-Allow-Headers "X-Access-Key, Origin, X-Requested-With, Content-Type, Accept"
        #Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, Client-Security-Token, Accept-Encoding, x-test-header"
    </Directory>
</VirtualHost>
[root@example sites-available]#

 

[Jacques1]

Where is the TLS configuration for example.com (not www.example.com)? I don't see any. The redirect happens after the TLS handshake, so it's not a replacement for a correct TLS configuration on this particular domain.

[NotionCommotion]

Where is the TLS configuration for example.com (not www.example.com)? I don't see any. The redirect happens after the TLS handshake, so it's not a replacement for a correct TLS configuration on this particular domain.

 

Good point.

 

Made the changes, but no change.

 

I think it has to do with having two virtual hosts defined.

 

port 443 namevhost example.com (/etc/httpd/conf.d/ssl.conf:56)

port 443 namevhost example.com (/etc/httpd/sites-enabled/corperate.conf:6)

[benanamen]

Modify as needed.

<VirtualHost example.com:80>
DocumentRoot /home/example
ServerName example.com
ServerAlias *.example.com
<Directory "/home/example">
Order Allow,Deny
Allow from all
AllowOverride all
Options None
Require all granted
</Directory>

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
</VirtualHost>

<VirtualHost example.com:443>
DocumentRoot /home/example
ServerName example.com
ServerAlias *.example.com
<Directory "/home/example">
Order Allow,Deny
Allow from all
AllowOverride all
Options None
Require all granted

</Directory>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.([^.]+\.[^.]+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301,NE]

SSLEngine on
SSLCertificateFile /home/example/.well-known/acme-challenge/certificate.crt
SSLCertificateKeyFile /home/example/.well-known/acme-challenge/private.key
SSLCACertificateFile /home/example/.well-known/acme-challenge/ca_bundle.crt
</VirtualHost>

[NotionCommotion]

 

Modify as needed.

 

Thanks benanamen,

 

I've done so in the post, but the following rather strongly states that one shouldn't use mod_rewrite.  What do you think is with me have two virtual hosts defined where one is the default?

 

https://httpd.apache.org/docs/2.4/rewrite/avoid.html

[benanamen]

I am familiar with that. I think that is referring to the complexity of mod_rewrite, not that it is a problem if you use it. mod_rewrite is very powerful and can complicated to use but will work without issue once you have it right.

 

What I previously posted should have easily got you up and running with SSL ending up at a non www URL no matter how the url is entered.