SSL Warning on our Apache2 server log

Hi there

For the website, the SSL has been running OK.

However, every day we have a warning for this:

[ssl:warn] [pid 809306:tid 140405823966272] AH01909: server certificate does NOT include an ID which matches the server name

We have this setup:

Any ideas on how to fix this?

You need to install a certificate for that site that includes the correct name. In addition to clearing the error, it will allow you to properly secure your site by switching to Full (Strict).


We created a certificate from Cloudflare itself via SSL/TLS Origin Server option.

That’s the correct hosts.

We put it into our Apache2 site.

Not sure why it’s not the correct name.

On a VPS with shell access, I’d be reviewing vhost configurations and log files. If you have such access, you may find the output of apache2ctl -t -D DUMP_VHOSTS helpful.

1 Like

Here’s the

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/
         port 80 namevhost (/etc/apache2/sites-enabled/
         port 80 namevhost (/etc/apache2/sites-enabled/
*:443                  is a NameVirtualHost
         default server (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/
         port 443 namevhost (/etc/apache2/sites-enabled/
         port 443 namevhost (/etc/apache2/sites-enabled/

The info above are the sudo apache2ctl -t -D DUMP_VHOSTS that you need.

Is there a reason that you have an alias of configured for

1 Like

All domains are having the same warning.

We played around with the server alias for for testing purposes - and the same issue too.

Hope this help.

Other than the warning getting logged, are you experiencing any problems with the sites?

Searching that error on the web brings up articles that mention the ServerName not having a certificate that includes the name. I see other articles that suggest that warning appears when using self-signed certificates. That may also include certificates that are signed by unknown CAs, which would include the Cloudflare Origin CA unless you added it to your system store.

I am not entirely convinced that adding the Cloudflare Origin CA root certificate has any real merit since it introduces the potential for the server to trust certificates that it otherwise would not, and probably should not trust.

1 Like

No, we don’t have any issue with the sites only a warning on Apache logs.

Can you elaborate more on this please?


I would kick your SSL level up to Full (Strict) and make sure everything is loading fine. If it is, I would consider calling it done. The warning is just that. It is an informative message, but it is not reporting anything that failed. You can safely ignore it.

Now if you are like me, and it may just annoy you to not know why the warning appears, you could always do some testing to see if it clears up the warning. I would check out 2 things:

  1. Is the certificate self-signed?
  2. Does adding the Cloudflare Origin CA root certificate to the system trust store clear the warnings about the domains with Cloudflare Origin CA certificates?

I would also remove the ServerAlias directive. While it is not really able to hurt anything since that name does not resolve, it isn’t adding any value, either.

If step 2 as suggested above does clear the warnings on the virtual hosts with Cloudflare Origin CA certificates, I would make note of that for posterity and then remove the Cloudflare Origin CA root certificate from the trusted root store. I cannot think of any reason why your server would need to trust certificates issued by that CA.


Just thought the certificate is using CN: which is different from the website: and again different from the server name/server alias … I guess?

The Certificate Subject Alternative Name are the names you really care about.

With point (1), is the certificate self-signed, not quite sure about this. Do we need a certificate for this? This is one of the VM that we have on Contabo.

Point (2), does adding the Cloudflare Origin CA root certificate to the system trust store clear the warnings about the domains with Cloudflare Origin CA certificates. How do we add this into the server?


Actually, I found this article:

I could add the intermediate one - is that right?

SSLEngine on
SSLCertificateFile /home/sammy/
SSLCertificateKeyFile /home/sammy/
**SSLCACertificateFile /home/sammy/intermediate.crt**

No. The Apache documentation indicates that directive is for Client Authentication

Somewhat related, but not anything that you asked about, listing intermediate in the SSLCertificateChainFile directive became obsolete in Apache 2.4.8. Any required intermediate certificates (but not root certificates) should be loaded from the SSLCertificateFile directive. They should be concatenated in the file so that it is read from leaf to root. The root certificate does not get included because the client should already have the root in its trusted store.

  1. Find the path to the certificate file in the /etc/apache2/sites-enabled/default-ssl.conf file. You can then run openssl on it from the command line to see everything you want (and then some).
  2. How you do that will depend on what Linux distribution you are running. You should be able to find a guide by searching for add Root CA certificate to ${flavor} Linux

Whether or not it is even worth doing item 2 is debatable, since you will probably want to remove it from the trust store once you see the effect if any on the Apache warning. You want the Cloudflare proxy to trust the certificates the Cloudflare Origin CA issues, but your system has no need to trust any certificates that it has issued.

1 Like

We implemented this on one of the testing vhost:

SSLCACertificateFile /etc/***/origin_ca_ecc_root.pem

It seems the SSL warning logs disappeared. Will check again the next day.

Actually, we looked at the Apache logs today and it showed the SSL warning again.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.