logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: SSL certificate errors in Apache hosted website
Author
rajaniesh



Joined: 20 Sep 2019
Posts: 3
Location: USA, watchung

PostPosted: Sat 21 Sep '19 15:49    Post subject: SSL certificate errors in Apache hosted website Reply with quote

Hi,

I have hosted two apache websites and deployed the Intermediate CA Cert, Root CA cert and server SSL cert(issued by intermediate CA). But still when I browse that site it shows SSL error. Is there any setting in Apache web server. I am new to Apache Webserver and need help to resolve this issue.
Any help would be greatly appreciated!!

Regards
Rajaniesh
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 100
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Sun 22 Sep '19 19:49    Post subject: Reply with quote

Hello Rajaniesh,

welcome to Apachelounge Smile

Please check Apache's log-file if there are any helpful (error-)messages.

In addition some more information are helpful:
* Which certificate is delivered to your browser? Is it the certificate you have configured within Apache?
* What is the exact error-message you get in your browser? Is it complaining about unknown (intermediate-)CA, about not-matching CommonName or about the certificate being not yet valid/not valid anymore?
* How do you have configured your apache?
* Do you have one certificate for both hostnames and both hostnames are on the same IP-address/port-combination -> ensure that it contains both hostnames as SAN [SubjectAlternateName].
* Or do you use different IP-address/port-combinations for both hostnames?

Best regards
Matthias
Back to top
rajaniesh



Joined: 20 Sep 2019
Posts: 3
Location: USA, watchung

PostPosted: Mon 23 Sep '19 23:11    Post subject: Reply with quote

Hi Matthias,

The SSL cert which we created with the server host name should be delivered to the browser but it shows NET: ERR_CERT_COMMON_NAME_INVALID error.

We have used these values in the apache config file

1.SSLCertificateFile
2.SSLVerifyClient none
3.SSLCACertificateFile
4.SSLCertificateChainFile for SSL intermediate CA cert

Despite doing this we are still experiencing the cert error. The main issue due to this problem is that our Apache website is calling Flask Based API hosted in another server not able to call because of cert error so user need to explicitly enter the falsk api and proceed with SSL warning and then only values emitted by API is shown in the Web Page.

we are using two hostnames with two SSL certs one for apache server hosting Angular App and another one hosting Flask API in Apache server. Both certs are names as FQDL of the server. First one is hosted on 443 and another one is hosted on 8443.

Both certs are valid till next 10 years. In order to avoid the error I installed all the four certs on my laptop and in the IE this error is gone but this errro is still coming in Mozzilla and Safari. But installing the certs individually is not a good idea and we can not ask customer to do so because there are so many users of the application.

Apache is configured based on the help manual provided by apache.
Can you please explain me what we need to do regarding this :ensure that it contains both hostnames as SAN [SubjectAlternateName].or Or do you use different IP-address/port-combinations for both hostnames?
Regards
Rajaniesh
Back to top
rajaniesh



Joined: 20 Sep 2019
Posts: 3
Location: USA, watchung

PostPosted: Mon 23 Sep '19 23:12    Post subject: Reply with quote

Hi Matthias,

The SSL cert which we created with the server host name should be delivered to the browser but it shows NET: ERR_CERT_COMMON_NAME_INVALID error and SUBJECT ALTERNATIVE NAME MISSING.

We have used these values in the apache config file

1.SSLCertificateFile
2.SSLVerifyClient none
3.SSLCACertificateFile
4.SSLCertificateChainFile for SSL intermediate CA cert

Despite doing this we are still experiencing the cert error. The main issue due to this problem is that our Apache website is calling Flask Based API hosted in another server not able to call because of cert error so user need to explicitly enter the falsk api and proceed with SSL warning and then only values emitted by API is shown in the Web Page.

we are using two hostnames with two SSL certs one for apache server hosting Angular App and another one hosting Flask API in Apache server. Both certs are names as FQDL of the server. First one is hosted on 443 and another one is hosted on 8443.

Both certs are valid till next 10 years. In order to avoid the error I installed all the four certs on my laptop and in the IE this error is gone but this error is still coming in Mozilla and Safari. But installing the certs individually is not a good idea and we can not ask customer to do so because there are so many users of the application.

Apache is configured based on the help manual provided by apache.
Can you please explain me what we need to do regarding this :ensure that it contains both hostnames as SAN [SubjectAlternateName].or Or do you use different IP-address/port-combinations for both hostnames?
Regards
Rajaniesh
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 100
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Wed 25 Sep '19 19:23    Post subject: Reply with quote

Hello Rajaniesh,

please try another browser - maybe Firefox instead of Chrome?
Found the information at a german IT-news-page (https://www.heise.de/security/artikel/Chrome-blockt-Zertifikate-mit-Common-Name-3717594.html) that Chrome displays the error you've mentioned if the certificate has no SubjectAlternateName, even if the certificate's CN is correct.

Is the webserver in question public available so that I might have a look at the certificate delivered to the browser?

The error-message either looks for me like "the certificate is not matching the hostname in browser's address-bar" or the Chrome's error-message mentioned in the first paragraph.

I guess you have restarted Apache after your modification to the config-file? Otherwise the old (invalid) certificate-files are still used by Apache.

To answer the question "what is SAN (SubjectAlternateName)?"
In earlier days certificates only had a CN which had to be the hostname "www.example.com" or a wildcard "*.example.com". Easy Smile
But with this certificate it was not possible to have the same webserver running on 1.1.1.1:443 be serving encrypted data for www.example.com AND www.example.de. And if you want to access the webserver with its IP-address you also get an error-message. So they came up with the SubjectAlternateName - it is an additional attribute within the certificate that contains the certificates CN AND all the other names or ip-addresses it should be valid for.
Now you can server https://www.example.com and https://www.example.de with the same webserver with one ip-address/port-combination 1.1.1.1:443

Best regards
Matthias
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6684
Location: Germany, Next to Hamburg

PostPosted: Thu 26 Sep '19 9:22    Post subject: Reply with quote

See also https://support.google.com/chrome/a/answer/7391219?hl=en
Back to top


Reply to topic   Topic: SSL certificate errors in Apache hosted website View previous topic :: View next topic
Post new topic   Forum Index -> Apache