SSL Warning on our Apache2 server log

partners3 · January 9, 2023, 1:08am

Hi there

For the website, the SSL has been running OK.

However, every day we have a warning for this:

[ssl:warn] [pid 809306:tid 140405823966272] AH01909: xxx.com:443:0 server certificate does NOT include an ID which matches the server name

We have this setup:

Any ideas on how to fix this?

epic.network · January 9, 2023, 2:05pm

You need to install a certificate for that site that includes the correct name. In addition to clearing the error, it will allow you to properly secure your site by switching to Full (Strict).

partners3 · January 9, 2023, 8:55pm

We created a certificate from Cloudflare itself via SSL/TLS Origin Server option.

That’s the correct hosts.

We put it into our Apache2 site.

Not sure why it’s not the correct name.

epic.network · January 9, 2023, 9:16pm

On a VPS with shell access, I’d be reviewing vhost configurations and log files. If you have such access, you may find the output of apache2ctl -t -D DUMP_VHOSTS helpful.

partners3 · January 9, 2023, 9:37pm

@epic.network

Here’s the

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server vmi630724.contaboserver.net (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost vmi630724.contaboserver.net (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost dewalist.com (/etc/apache2/sites-enabled/dewalist.com.conf:1)
                 alias www.dewalist.com
         port 80 namevhost insight.dewalist.com (/etc/apache2/sites-enabled/insight.dewalist.com.conf:1)
                 alias insight.dewalist.com
         port 80 namevhost valdy.net (/etc/apache2/sites-enabled/valdy.net.conf:1)
                 alias www.valdy.net
*:443                  is a NameVirtualHost
         default server vmi630724.contaboserver.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost vmi630724.contaboserver.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost dewalist.com (/etc/apache2/sites-enabled/dewalist.com.conf:28)
                 alias www.dewalist.com
         port 443 namevhost insight.dewalist.com (/etc/apache2/sites-enabled/insight.dewalist.com.conf:25)
                 alias insight.dewalist.com
         port 443 namevhost valdy.net (/etc/apache2/sites-enabled/valdy.net.conf:26)
                 alias sni.cloudflaressl.com

partners3 · January 9, 2023, 9:42pm

The info above are the sudo apache2ctl -t -D DUMP_VHOSTS that you need.

epic.network · January 9, 2023, 9:50pm

Is there a reason that you have an alias of sni.cloudflaressl.com configured for valdy.net?

partners3 · January 9, 2023, 9:50pm

All domains are having the same warning.

We played around with the server alias for valdy.net for testing purposes - sni.cloudflaressl.com and the same issue too.

Hope this help.

epic.network · January 9, 2023, 10:19pm

Other than the warning getting logged, are you experiencing any problems with the sites?

Searching that error on the web brings up articles that mention the ServerName not having a certificate that includes the name. I see other articles that suggest that warning appears when using self-signed certificates. That may also include certificates that are signed by unknown CAs, which would include the Cloudflare Origin CA unless you added it to your system store.

I am not entirely convinced that adding the Cloudflare Origin CA root certificate has any real merit since it introduces the potential for the server to trust certificates that it otherwise would not, and probably should not trust.

partners3 · January 9, 2023, 11:33pm

No, we don’t have any issue with the sites only a warning on Apache logs.

Can you elaborate more on this please?

Thanks

epic.network · January 9, 2023, 11:55pm

I would kick your SSL level up to Full (Strict) and make sure everything is loading fine. If it is, I would consider calling it done. The warning is just that. It is an informative message, but it is not reporting anything that failed. You can safely ignore it.

Now if you are like me, and it may just annoy you to not know why the warning appears, you could always do some testing to see if it clears up the warning. I would check out 2 things:

Is the vmi630724.contaboserver.net certificate self-signed?
Does adding the Cloudflare Origin CA root certificate to the system trust store clear the warnings about the domains with Cloudflare Origin CA certificates?

I would also remove the ServerAlias sni.cloudflaressl.com directive. While it is not really able to hurt anything since that name does not resolve, it isn’t adding any value, either.

If step 2 as suggested above does clear the warnings on the virtual hosts with Cloudflare Origin CA certificates, I would make note of that for posterity and then remove the Cloudflare Origin CA root certificate from the trusted root store. I cannot think of any reason why your server would need to trust certificates issued by that CA.

partners3 · January 9, 2023, 11:57pm

Just thought the certificate is using CN: sni.cloudflaressl.com which is different from the website: dewalist.com and again different from the server name/server alias … I guess?

epic.network · January 10, 2023, 12:01am

The Certificate Subject Alternative Name are the names you really care about.

partners3 · January 10, 2023, 12:03am

With point (1), is the vmi630724.contaboserver.net certificate self-signed, not quite sure about this. Do we need a certificate for this? This is one of the VM that we have on Contabo.

Point (2), does adding the Cloudflare Origin CA root certificate to the system trust store clear the warnings about the domains with Cloudflare Origin CA certificates. How do we add this into the server?

Thanks

partners3 · January 10, 2023, 12:08am

Actually, I found this article: https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority#install-certificate-on-web-server

I could add the intermediate one - is that right?

SSLEngine on
SSLCertificateFile /home/sammy/example.com.crt
SSLCertificateKeyFile /home/sammy/example.com.key
**SSLCACertificateFile /home/sammy/intermediate.crt**

epic.network · January 10, 2023, 12:28am

No. The Apache documentation indicates that directive is for Client Authentication

Somewhat related, but not anything that you asked about, listing intermediate in the SSLCertificateChainFile directive became obsolete in Apache 2.4.8. Any required intermediate certificates (but not root certificates) should be loaded from the SSLCertificateFile directive. They should be concatenated in the file so that it is read from leaf to root. The root certificate does not get included because the client should already have the root in its trusted store.

Find the path to the certificate file in the /etc/apache2/sites-enabled/default-ssl.conf file. You can then run openssl on it from the command line to see everything you want (and then some).
How you do that will depend on what Linux distribution you are running. You should be able to find a guide by searching for add Root CA certificate to ${flavor} Linux

Whether or not it is even worth doing item 2 is debatable, since you will probably want to remove it from the trust store once you see the effect if any on the Apache warning. You want the Cloudflare proxy to trust the certificates the Cloudflare Origin CA issues, but your system has no need to trust any certificates that it has issued.

partners3 · January 10, 2023, 12:47am

We implemented this on one of the testing vhost:

SSLCACertificateFile /etc/***/origin_ca_ecc_root.pem

It seems the SSL warning logs disappeared. Will check again the next day.

partners3 · January 11, 2023, 12:49am

Actually, we looked at the Apache logs today and it showed the SSL warning again.

system · January 26, 2023, 12:50am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.