CentOS7 Apache: RSA certificate does NOT include an ID which matches the server name

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I know this issue has been raised before, and I have searched through all the answers and tried all of the suggestions, none of which solved my problem, so I'll ask for assistance in a new thread.



I have installed and configured a new CentOS7 system, to replace one that got too outdated. It primarily exists to serve up a copy of ownCloud on my network. The previous system worked perfectly, and was configured with an SSL certificate. I have copied over the vhosts.conf file, the certificate files, the key file, and set up ownCloud in the same configuration as I had on the previous system.



However, when I start up Apache, it fails and logs these errors:



[ssl:info] [pid 4787] AH02200: Loading certificate & private key of SSL-aware server 'owncloud.domain.com:443'
[ssl:debug] [pid 4787] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[ssl:info] [pid 4787] AH01914: Configuring server owncloud.domain.com:443 for SSL protocol
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
[ssl:debug] [pid 4787] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[ssl:debug] [pid 4787] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[ssl:warn] [pid 4787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[ssl:debug] [pid 4787] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443] Cert does not match for name 'owncloud.domain.com' [subject: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 7B1C / notbefore: Jul 4 10:13:52 2014 GMT / notafter: Jul 4 10:13:52 2015 GMT]
[ssl:warn] [pid 4787] AH01909: RSA certificate configured for owncloud.domain.com:443 does NOT include an ID which matches the server name
[ssl:debug] [pid 4787] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[ssl:emerg] [pid 4787] AH02238: Unable to configure RSA server private key
[ssl:emerg] [pid 4787] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


The certificate in question is not self-generated -- it is a purchased commercial certificate and was working perfectly on the previous system. Both systems used the same server name, the same IP address and the same vhosts.conf.



The httpd.conf specifies that Apache should listen on both ports 80 and 443.



The vhosts.conf file is:



<VirtualHost *:443>
DocumentRoot /var/www/html/owncloud
ServerName owncloud.domain.com
ServerAlias www.owncloud.domain.com
Header always add Strict-Transport-Security "max-age=15768000"
ErrorLog logs/owncloud.domain.com-ssl-error_log
CustomLog logs/owncloud.domain.com-ssl-access_log common
<Directory /var/www/html/owncloud >
AllowOverride All
</Directory>

SSLEngine On
SSLProtocol -ALL -SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/pki/tls/certs/owncloud_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/owncloud.key
SSLCACertificateFile /etc/pki/tls/certs/owncloud_bundle.crt
</VirtualHost>

<VirtualHost *:80>
ServerName owncloud.domain.com
Redirect permanent / https://owncloud.domain.com/
</VirtualHost>


The relevant lines from httpd.conf are:



Listen 80
Listen 443
ServerName owncloud.domain.com:443


The rest of the httpd.conf file is pretty much as it was installed by CentOS.



I have used openSSL to test the certificate and key files, using the -modulus argument, and the results from both are identical. I also tested for the text of the server name and it is correct in the certificate file, so it does not appear as if anything has happened to either the certificate or the key. Nothing should have -- I copied all the certificate files to a backup before installing the new system, then put them back.



As I mentioned, I've tried everything I could find via on-line searching, but nothing has worked, so any suggestions would be appreciated.



-- Norm



As requested, here is the output of "openssl x509 -in owncloud_domain_com.crt -text -noout":



Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7c:a7:38:a8:1a:67:2d:e3:b4:13:fa:49:33:e8:27:e6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Sep 12 00:00:00 2013 GMT
Not After : Sep 11 23:59:59 2018 GMT
Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=owncloud.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ca:c8:8d:41:91:c5:0e:ed:86:a4:6a:6f:fb:86:
6c:a5:4d:68:cb:80:51:f3:2e:7f:9c:97:8a:43:a0:
3e:45:7a:cd:83:ad:a6:72:03:98:20:e5:a0:04:a8:
0b:d0:45:e6:62:ec:1d:c0:d7:fa:04:13:30:b5:e8:
40:f7:00:ef:14:19:c2:37:f3:dd:af:87:cc:70:d5:
dd:51:7a:10:17:35:79:5b:0f:86:4e:d8:ce:73:11:
96:d4:00:c8:41:f9:7d:5c:2e:c5:06:6b:4d:04:d6:
11:6a:03:80:11:c5:06:d9:f5:d1:6d:60:2b:a8:3b:
ba:5d:38:0b:1d:dc:dc:48:3d:ae:ef:7b:48:c2:d9:
5c:c2:72:83:46:bc:d2:78:fd:02:cf:a8:b3:99:66:
36:05:9b:89:56:26:96:2c:1c:eb:54:6d:31:39:32:
4d:e9:f0:b9:b1:ca:e3:8d:40:85:03:9a:37:2d:94:
e8:a6:2c:c9:fd:ba:d2:8f:5c:95:63:e4:52:55:f8:
4a:5a:14:af:a1:ba:38:4d:b8:d9:92:28:98:3d:40:
89:e3:43:f1:bc:ea:14:29:3e:40:09:ad:f8:35:29:
80:1b:4d:a4:91:e2:9d:0b:0c:e5:0d:2b:13:a5:07:
82:9a:97:6b:6f:b1:69:c5:4d:c1:1b:11:cd:07:2c:
38:eb:e7:bb:93:2f:57:aa:a1:38:bb:b7:70:5c:89:
6d:47:d8:e0:6d:1b:9e:60:50:83:b6:93:49:36:7e:
57:c8:c8:2a:f7:30:cb:ee:a5:f5:e7:0c:f3:6f:1a:
82:54:a2:20:49:f5:68:c4:f1:c2:7b:0e:29:28:a8:
2c:9c:52:f4:5f:39:25:2f:fe:f4:ea:7e:92:cc:95:
c9:a5:92:2a:06:8e:9c:00:d0:c1:1c:52:e0:fb:42:
1b:fe:8c:ef:49:82:9a:55:74:5b:95:e1:ec:a6:6f:
96:e6:ae:0d:d9:be:24:db:4e:cc:e0:2d:a3:61:cb:
2a:e3:67:81:6f:5a:72:80:7c:0f:1b:e0:8b:ad:9e:
e2:6a:f7:32:0b:78:c1:ca:ac:38:97:7a:76:53:0f:
9d:12:49:5b:ab:d9:ea:b9:ca:cb:8d:e1:fa:bd:f8:
11:05:05:c7:90:f0:4e:f3:81:75:57:4a:3e:2a:3a:
10:65:34:ea:1c:c0:18:68:bb:f9:0a:6e:ee:fe:73:
16:6d:1f:e8:2c:bf:91:3d:df:26:98:93:8d:88:52:
04:7d:46:ab:eb:6f:e0:9f:1d:f9:ed:b2:75:dc:d8:
eb:61:69:14:83:12:82:09:75:c5:5a:51:a4:2d:17:
fa:ce:66:16:11:bd:5a:a8:ea:9e:af:b3:06:03:86:
5e:fb:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

X509v3 Subject Key Identifier:
8C:70:79:27:C0:EE:36:6F:23:58:2E:46:2B:A6:A7:DE:E3:39:99:B1
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
CPS: https://secure.comodo.net/CPS
Policy: 2.23.140.1.2.1

X509v3 CRL Distribution Points:

Full Name:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com

X509v3 Subject Alternative Name:
DNS:owncloud.domain.com, DNS:www.owncloud.domain.com
Signature Algorithm: sha256WithRSAEncryption
3a:a6:56:b7:56:ce:f0:ed:e6:ba:d7:1c:31:9d:ff:3d:67:88:
f3:6c:d8:c9:28:42:06:b7:66:2b:39:c6:0b:c4:0a:b2:1d:5e:
f6:4f:4b:30:65:1c:71:4e:a8:89:03:2a:28:45:ca:10:f6:dd:
34:7e:1a:e2:51:a5:c6:32:46:b5:7d:6d:da:2e:ef:51:73:0d:
11:f4:eb:2d:82:4f:22:82:50:fc:ad:be:45:f3:32:96:eb:11:
88:6b:a6:62:3d:3f:7b:a9:b5:d8:af:a4:40:03:00:05:cf:fa:
6b:6a:41:d1:7c:26:6e:66:b0:5a:36:9c:d2:b5:c4:c7:a2:c2:
ce:3a:27:6a:e9:35:18:54:0d:52:05:30:fc:57:74:68:43:ea:
9b:bb:39:d8:b2:81:e8:8a:b6:f2:31:36:81:f4:b7:16:16:1c:
ff:e5:e2:d5:23:78:e2:13:26:8e:31:1e:e1:9f:fd:d2:b7:20:
d4:75:a4:74:32:c3:e9:25:b7:d5:1d:ab:e8:d6:ea:80:13:58:
77:e1:f5:d7:dd:b0:3d:ca:bc:4c:24:40:ff:2d:d2:15:12:97:
56:ed:04:87:aa:85:98:89:b4:f3:ce:32:67:de:43:80:36:fd:
b5:32:2a:69:fb:4d:65:f8:fb:be:fa:08:d1:3b:a6:12:28:46:
34:31:24:1a


Replacing SSLCACertificateFile with SSLCertificateChainFile in the vhosts file, and starting Apache gives these log messages:



[Thu May 03 17:39:52.296052 2018] [ssl:info] [pid 6048] AH02200: Loading certificate & private key of SSL-aware server 'owncloud.domain.com:443'
[Thu May 03 17:39:52.296536 2018] [ssl:debug] [pid 6048] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu May 03 17:39:52.296856 2018] [ssl:info] [pid 6048] AH01914: Configuring server owncloud.domain.com:443 for SSL protocol
[Thu May 03 17:39:52.297384 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(872): AH01904: Configuring server certificate chain (3 CA certificates)
[Thu May 03 17:39:52.297399 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu May 03 17:39:52.297413 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[Thu May 03 17:39:52.297509 2018] [ssl:warn] [pid 6048] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu May 03 17:39:52.297599 2018] [ssl:debug] [pid 6048] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443] Cert does not match for name 'owncloud.domain.com' [subject: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 7B1C / notbefore: Jul 4 10:13:52 2014 GMT / notafter: Jul 4 10:13:52 2015 GMT]
[Thu May 03 17:39:52.297612 2018] [ssl:warn] [pid 6048] AH01909: RSA certificate configured for owncloud.domain.com:443 does NOT include an ID which matches the server name
[Thu May 03 17:39:52.297621 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[Thu May 03 17:39:52.297649 2018] [ssl:emerg] [pid 6048] AH02238: Unable to configure RSA server private key
[Thu May 03 17:39:52.297667 2018] [ssl:emerg] [pid 6048] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


In effect, not much has changed, as Apache still won't start.



As requested, the first few lines of the private key file:



-----BEGIN PRIVATE KEY-----
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDCcib4fqnUYaGV
mzy6h6e6EUonHY+WeqkwygWV/zwZEcto9pKMyv5ZSYRPTsW4/e3glPMXBlbxIzhj
6f1W76AP8nYplcWJLuj/Qn+JHfaA7nlCHUehtA2Vcut9AuVnvutZZyA3fp+EySXv
Mu8/RhKjXx0C8Zm6vvGKJczw4MSP8JlUtYs+KoXXzVsTbrLCgLBYf0+JUoKBU9s4
Um37cMk8ziRKYZDjsYtKe1D7hA6A3sWZp7czidK7jGH2OoWVHrj46pTo/koxhJpV






share|improve this question





















  • Nope, no chroot. It's all pretty plain vanilla.
    – npowroz
    May 3 at 21:31










  • Can you replace SSLCACertificateFile by SSLCertificateChainFile and (re)start Apache?
    – Rui F Ribeiro
    May 3 at 21:34










  • results added to the main question
    – npowroz
    May 3 at 21:48










  • As I mentioned, this all worked perfectly on the previous incarnation of this server, which is one of the reasons why I'm stumped.
    – npowroz
    May 3 at 22:02






  • 1




    Well, the comments in the httpd.conf file specifically say that there should be a ServerName, but taking it out didn't make any difference.
    – npowroz
    May 3 at 22:19














up vote
1
down vote

favorite












I know this issue has been raised before, and I have searched through all the answers and tried all of the suggestions, none of which solved my problem, so I'll ask for assistance in a new thread.



I have installed and configured a new CentOS7 system, to replace one that got too outdated. It primarily exists to serve up a copy of ownCloud on my network. The previous system worked perfectly, and was configured with an SSL certificate. I have copied over the vhosts.conf file, the certificate files, the key file, and set up ownCloud in the same configuration as I had on the previous system.



However, when I start up Apache, it fails and logs these errors:



[ssl:info] [pid 4787] AH02200: Loading certificate & private key of SSL-aware server 'owncloud.domain.com:443'
[ssl:debug] [pid 4787] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[ssl:info] [pid 4787] AH01914: Configuring server owncloud.domain.com:443 for SSL protocol
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
[ssl:debug] [pid 4787] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[ssl:debug] [pid 4787] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[ssl:warn] [pid 4787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[ssl:debug] [pid 4787] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443] Cert does not match for name 'owncloud.domain.com' [subject: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 7B1C / notbefore: Jul 4 10:13:52 2014 GMT / notafter: Jul 4 10:13:52 2015 GMT]
[ssl:warn] [pid 4787] AH01909: RSA certificate configured for owncloud.domain.com:443 does NOT include an ID which matches the server name
[ssl:debug] [pid 4787] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[ssl:emerg] [pid 4787] AH02238: Unable to configure RSA server private key
[ssl:emerg] [pid 4787] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


The certificate in question is not self-generated -- it is a purchased commercial certificate and was working perfectly on the previous system. Both systems used the same server name, the same IP address and the same vhosts.conf.



The httpd.conf specifies that Apache should listen on both ports 80 and 443.



The vhosts.conf file is:



<VirtualHost *:443>
DocumentRoot /var/www/html/owncloud
ServerName owncloud.domain.com
ServerAlias www.owncloud.domain.com
Header always add Strict-Transport-Security "max-age=15768000"
ErrorLog logs/owncloud.domain.com-ssl-error_log
CustomLog logs/owncloud.domain.com-ssl-access_log common
<Directory /var/www/html/owncloud >
AllowOverride All
</Directory>

SSLEngine On
SSLProtocol -ALL -SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/pki/tls/certs/owncloud_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/owncloud.key
SSLCACertificateFile /etc/pki/tls/certs/owncloud_bundle.crt
</VirtualHost>

<VirtualHost *:80>
ServerName owncloud.domain.com
Redirect permanent / https://owncloud.domain.com/
</VirtualHost>


The relevant lines from httpd.conf are:



Listen 80
Listen 443
ServerName owncloud.domain.com:443


The rest of the httpd.conf file is pretty much as it was installed by CentOS.



I have used openSSL to test the certificate and key files, using the -modulus argument, and the results from both are identical. I also tested for the text of the server name and it is correct in the certificate file, so it does not appear as if anything has happened to either the certificate or the key. Nothing should have -- I copied all the certificate files to a backup before installing the new system, then put them back.



As I mentioned, I've tried everything I could find via on-line searching, but nothing has worked, so any suggestions would be appreciated.



-- Norm



As requested, here is the output of "openssl x509 -in owncloud_domain_com.crt -text -noout":



Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7c:a7:38:a8:1a:67:2d:e3:b4:13:fa:49:33:e8:27:e6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Sep 12 00:00:00 2013 GMT
Not After : Sep 11 23:59:59 2018 GMT
Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=owncloud.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ca:c8:8d:41:91:c5:0e:ed:86:a4:6a:6f:fb:86:
6c:a5:4d:68:cb:80:51:f3:2e:7f:9c:97:8a:43:a0:
3e:45:7a:cd:83:ad:a6:72:03:98:20:e5:a0:04:a8:
0b:d0:45:e6:62:ec:1d:c0:d7:fa:04:13:30:b5:e8:
40:f7:00:ef:14:19:c2:37:f3:dd:af:87:cc:70:d5:
dd:51:7a:10:17:35:79:5b:0f:86:4e:d8:ce:73:11:
96:d4:00:c8:41:f9:7d:5c:2e:c5:06:6b:4d:04:d6:
11:6a:03:80:11:c5:06:d9:f5:d1:6d:60:2b:a8:3b:
ba:5d:38:0b:1d:dc:dc:48:3d:ae:ef:7b:48:c2:d9:
5c:c2:72:83:46:bc:d2:78:fd:02:cf:a8:b3:99:66:
36:05:9b:89:56:26:96:2c:1c:eb:54:6d:31:39:32:
4d:e9:f0:b9:b1:ca:e3:8d:40:85:03:9a:37:2d:94:
e8:a6:2c:c9:fd:ba:d2:8f:5c:95:63:e4:52:55:f8:
4a:5a:14:af:a1:ba:38:4d:b8:d9:92:28:98:3d:40:
89:e3:43:f1:bc:ea:14:29:3e:40:09:ad:f8:35:29:
80:1b:4d:a4:91:e2:9d:0b:0c:e5:0d:2b:13:a5:07:
82:9a:97:6b:6f:b1:69:c5:4d:c1:1b:11:cd:07:2c:
38:eb:e7:bb:93:2f:57:aa:a1:38:bb:b7:70:5c:89:
6d:47:d8:e0:6d:1b:9e:60:50:83:b6:93:49:36:7e:
57:c8:c8:2a:f7:30:cb:ee:a5:f5:e7:0c:f3:6f:1a:
82:54:a2:20:49:f5:68:c4:f1:c2:7b:0e:29:28:a8:
2c:9c:52:f4:5f:39:25:2f:fe:f4:ea:7e:92:cc:95:
c9:a5:92:2a:06:8e:9c:00:d0:c1:1c:52:e0:fb:42:
1b:fe:8c:ef:49:82:9a:55:74:5b:95:e1:ec:a6:6f:
96:e6:ae:0d:d9:be:24:db:4e:cc:e0:2d:a3:61:cb:
2a:e3:67:81:6f:5a:72:80:7c:0f:1b:e0:8b:ad:9e:
e2:6a:f7:32:0b:78:c1:ca:ac:38:97:7a:76:53:0f:
9d:12:49:5b:ab:d9:ea:b9:ca:cb:8d:e1:fa:bd:f8:
11:05:05:c7:90:f0:4e:f3:81:75:57:4a:3e:2a:3a:
10:65:34:ea:1c:c0:18:68:bb:f9:0a:6e:ee:fe:73:
16:6d:1f:e8:2c:bf:91:3d:df:26:98:93:8d:88:52:
04:7d:46:ab:eb:6f:e0:9f:1d:f9:ed:b2:75:dc:d8:
eb:61:69:14:83:12:82:09:75:c5:5a:51:a4:2d:17:
fa:ce:66:16:11:bd:5a:a8:ea:9e:af:b3:06:03:86:
5e:fb:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

X509v3 Subject Key Identifier:
8C:70:79:27:C0:EE:36:6F:23:58:2E:46:2B:A6:A7:DE:E3:39:99:B1
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
CPS: https://secure.comodo.net/CPS
Policy: 2.23.140.1.2.1

X509v3 CRL Distribution Points:

Full Name:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com

X509v3 Subject Alternative Name:
DNS:owncloud.domain.com, DNS:www.owncloud.domain.com
Signature Algorithm: sha256WithRSAEncryption
3a:a6:56:b7:56:ce:f0:ed:e6:ba:d7:1c:31:9d:ff:3d:67:88:
f3:6c:d8:c9:28:42:06:b7:66:2b:39:c6:0b:c4:0a:b2:1d:5e:
f6:4f:4b:30:65:1c:71:4e:a8:89:03:2a:28:45:ca:10:f6:dd:
34:7e:1a:e2:51:a5:c6:32:46:b5:7d:6d:da:2e:ef:51:73:0d:
11:f4:eb:2d:82:4f:22:82:50:fc:ad:be:45:f3:32:96:eb:11:
88:6b:a6:62:3d:3f:7b:a9:b5:d8:af:a4:40:03:00:05:cf:fa:
6b:6a:41:d1:7c:26:6e:66:b0:5a:36:9c:d2:b5:c4:c7:a2:c2:
ce:3a:27:6a:e9:35:18:54:0d:52:05:30:fc:57:74:68:43:ea:
9b:bb:39:d8:b2:81:e8:8a:b6:f2:31:36:81:f4:b7:16:16:1c:
ff:e5:e2:d5:23:78:e2:13:26:8e:31:1e:e1:9f:fd:d2:b7:20:
d4:75:a4:74:32:c3:e9:25:b7:d5:1d:ab:e8:d6:ea:80:13:58:
77:e1:f5:d7:dd:b0:3d:ca:bc:4c:24:40:ff:2d:d2:15:12:97:
56:ed:04:87:aa:85:98:89:b4:f3:ce:32:67:de:43:80:36:fd:
b5:32:2a:69:fb:4d:65:f8:fb:be:fa:08:d1:3b:a6:12:28:46:
34:31:24:1a


Replacing SSLCACertificateFile with SSLCertificateChainFile in the vhosts file, and starting Apache gives these log messages:



[Thu May 03 17:39:52.296052 2018] [ssl:info] [pid 6048] AH02200: Loading certificate & private key of SSL-aware server 'owncloud.domain.com:443'
[Thu May 03 17:39:52.296536 2018] [ssl:debug] [pid 6048] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu May 03 17:39:52.296856 2018] [ssl:info] [pid 6048] AH01914: Configuring server owncloud.domain.com:443 for SSL protocol
[Thu May 03 17:39:52.297384 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(872): AH01904: Configuring server certificate chain (3 CA certificates)
[Thu May 03 17:39:52.297399 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu May 03 17:39:52.297413 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[Thu May 03 17:39:52.297509 2018] [ssl:warn] [pid 6048] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu May 03 17:39:52.297599 2018] [ssl:debug] [pid 6048] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443] Cert does not match for name 'owncloud.domain.com' [subject: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 7B1C / notbefore: Jul 4 10:13:52 2014 GMT / notafter: Jul 4 10:13:52 2015 GMT]
[Thu May 03 17:39:52.297612 2018] [ssl:warn] [pid 6048] AH01909: RSA certificate configured for owncloud.domain.com:443 does NOT include an ID which matches the server name
[Thu May 03 17:39:52.297621 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[Thu May 03 17:39:52.297649 2018] [ssl:emerg] [pid 6048] AH02238: Unable to configure RSA server private key
[Thu May 03 17:39:52.297667 2018] [ssl:emerg] [pid 6048] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


In effect, not much has changed, as Apache still won't start.



As requested, the first few lines of the private key file:



-----BEGIN PRIVATE KEY-----
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDCcib4fqnUYaGV
mzy6h6e6EUonHY+WeqkwygWV/zwZEcto9pKMyv5ZSYRPTsW4/e3glPMXBlbxIzhj
6f1W76AP8nYplcWJLuj/Qn+JHfaA7nlCHUehtA2Vcut9AuVnvutZZyA3fp+EySXv
Mu8/RhKjXx0C8Zm6vvGKJczw4MSP8JlUtYs+KoXXzVsTbrLCgLBYf0+JUoKBU9s4
Um37cMk8ziRKYZDjsYtKe1D7hA6A3sWZp7czidK7jGH2OoWVHrj46pTo/koxhJpV






share|improve this question





















  • Nope, no chroot. It's all pretty plain vanilla.
    – npowroz
    May 3 at 21:31










  • Can you replace SSLCACertificateFile by SSLCertificateChainFile and (re)start Apache?
    – Rui F Ribeiro
    May 3 at 21:34










  • results added to the main question
    – npowroz
    May 3 at 21:48










  • As I mentioned, this all worked perfectly on the previous incarnation of this server, which is one of the reasons why I'm stumped.
    – npowroz
    May 3 at 22:02






  • 1




    Well, the comments in the httpd.conf file specifically say that there should be a ServerName, but taking it out didn't make any difference.
    – npowroz
    May 3 at 22:19












up vote
1
down vote

favorite









up vote
1
down vote

favorite











I know this issue has been raised before, and I have searched through all the answers and tried all of the suggestions, none of which solved my problem, so I'll ask for assistance in a new thread.



I have installed and configured a new CentOS7 system, to replace one that got too outdated. It primarily exists to serve up a copy of ownCloud on my network. The previous system worked perfectly, and was configured with an SSL certificate. I have copied over the vhosts.conf file, the certificate files, the key file, and set up ownCloud in the same configuration as I had on the previous system.



However, when I start up Apache, it fails and logs these errors:



[ssl:info] [pid 4787] AH02200: Loading certificate & private key of SSL-aware server 'owncloud.domain.com:443'
[ssl:debug] [pid 4787] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[ssl:info] [pid 4787] AH01914: Configuring server owncloud.domain.com:443 for SSL protocol
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
[ssl:debug] [pid 4787] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[ssl:debug] [pid 4787] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[ssl:warn] [pid 4787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[ssl:debug] [pid 4787] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443] Cert does not match for name 'owncloud.domain.com' [subject: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 7B1C / notbefore: Jul 4 10:13:52 2014 GMT / notafter: Jul 4 10:13:52 2015 GMT]
[ssl:warn] [pid 4787] AH01909: RSA certificate configured for owncloud.domain.com:443 does NOT include an ID which matches the server name
[ssl:debug] [pid 4787] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[ssl:emerg] [pid 4787] AH02238: Unable to configure RSA server private key
[ssl:emerg] [pid 4787] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


The certificate in question is not self-generated -- it is a purchased commercial certificate and was working perfectly on the previous system. Both systems used the same server name, the same IP address and the same vhosts.conf.



The httpd.conf specifies that Apache should listen on both ports 80 and 443.



The vhosts.conf file is:



<VirtualHost *:443>
DocumentRoot /var/www/html/owncloud
ServerName owncloud.domain.com
ServerAlias www.owncloud.domain.com
Header always add Strict-Transport-Security "max-age=15768000"
ErrorLog logs/owncloud.domain.com-ssl-error_log
CustomLog logs/owncloud.domain.com-ssl-access_log common
<Directory /var/www/html/owncloud >
AllowOverride All
</Directory>

SSLEngine On
SSLProtocol -ALL -SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/pki/tls/certs/owncloud_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/owncloud.key
SSLCACertificateFile /etc/pki/tls/certs/owncloud_bundle.crt
</VirtualHost>

<VirtualHost *:80>
ServerName owncloud.domain.com
Redirect permanent / https://owncloud.domain.com/
</VirtualHost>


The relevant lines from httpd.conf are:



Listen 80
Listen 443
ServerName owncloud.domain.com:443


The rest of the httpd.conf file is pretty much as it was installed by CentOS.



I have used openSSL to test the certificate and key files, using the -modulus argument, and the results from both are identical. I also tested for the text of the server name and it is correct in the certificate file, so it does not appear as if anything has happened to either the certificate or the key. Nothing should have -- I copied all the certificate files to a backup before installing the new system, then put them back.



As I mentioned, I've tried everything I could find via on-line searching, but nothing has worked, so any suggestions would be appreciated.



-- Norm



As requested, here is the output of "openssl x509 -in owncloud_domain_com.crt -text -noout":



Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7c:a7:38:a8:1a:67:2d:e3:b4:13:fa:49:33:e8:27:e6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Sep 12 00:00:00 2013 GMT
Not After : Sep 11 23:59:59 2018 GMT
Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=owncloud.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ca:c8:8d:41:91:c5:0e:ed:86:a4:6a:6f:fb:86:
6c:a5:4d:68:cb:80:51:f3:2e:7f:9c:97:8a:43:a0:
3e:45:7a:cd:83:ad:a6:72:03:98:20:e5:a0:04:a8:
0b:d0:45:e6:62:ec:1d:c0:d7:fa:04:13:30:b5:e8:
40:f7:00:ef:14:19:c2:37:f3:dd:af:87:cc:70:d5:
dd:51:7a:10:17:35:79:5b:0f:86:4e:d8:ce:73:11:
96:d4:00:c8:41:f9:7d:5c:2e:c5:06:6b:4d:04:d6:
11:6a:03:80:11:c5:06:d9:f5:d1:6d:60:2b:a8:3b:
ba:5d:38:0b:1d:dc:dc:48:3d:ae:ef:7b:48:c2:d9:
5c:c2:72:83:46:bc:d2:78:fd:02:cf:a8:b3:99:66:
36:05:9b:89:56:26:96:2c:1c:eb:54:6d:31:39:32:
4d:e9:f0:b9:b1:ca:e3:8d:40:85:03:9a:37:2d:94:
e8:a6:2c:c9:fd:ba:d2:8f:5c:95:63:e4:52:55:f8:
4a:5a:14:af:a1:ba:38:4d:b8:d9:92:28:98:3d:40:
89:e3:43:f1:bc:ea:14:29:3e:40:09:ad:f8:35:29:
80:1b:4d:a4:91:e2:9d:0b:0c:e5:0d:2b:13:a5:07:
82:9a:97:6b:6f:b1:69:c5:4d:c1:1b:11:cd:07:2c:
38:eb:e7:bb:93:2f:57:aa:a1:38:bb:b7:70:5c:89:
6d:47:d8:e0:6d:1b:9e:60:50:83:b6:93:49:36:7e:
57:c8:c8:2a:f7:30:cb:ee:a5:f5:e7:0c:f3:6f:1a:
82:54:a2:20:49:f5:68:c4:f1:c2:7b:0e:29:28:a8:
2c:9c:52:f4:5f:39:25:2f:fe:f4:ea:7e:92:cc:95:
c9:a5:92:2a:06:8e:9c:00:d0:c1:1c:52:e0:fb:42:
1b:fe:8c:ef:49:82:9a:55:74:5b:95:e1:ec:a6:6f:
96:e6:ae:0d:d9:be:24:db:4e:cc:e0:2d:a3:61:cb:
2a:e3:67:81:6f:5a:72:80:7c:0f:1b:e0:8b:ad:9e:
e2:6a:f7:32:0b:78:c1:ca:ac:38:97:7a:76:53:0f:
9d:12:49:5b:ab:d9:ea:b9:ca:cb:8d:e1:fa:bd:f8:
11:05:05:c7:90:f0:4e:f3:81:75:57:4a:3e:2a:3a:
10:65:34:ea:1c:c0:18:68:bb:f9:0a:6e:ee:fe:73:
16:6d:1f:e8:2c:bf:91:3d:df:26:98:93:8d:88:52:
04:7d:46:ab:eb:6f:e0:9f:1d:f9:ed:b2:75:dc:d8:
eb:61:69:14:83:12:82:09:75:c5:5a:51:a4:2d:17:
fa:ce:66:16:11:bd:5a:a8:ea:9e:af:b3:06:03:86:
5e:fb:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

X509v3 Subject Key Identifier:
8C:70:79:27:C0:EE:36:6F:23:58:2E:46:2B:A6:A7:DE:E3:39:99:B1
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
CPS: https://secure.comodo.net/CPS
Policy: 2.23.140.1.2.1

X509v3 CRL Distribution Points:

Full Name:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com

X509v3 Subject Alternative Name:
DNS:owncloud.domain.com, DNS:www.owncloud.domain.com
Signature Algorithm: sha256WithRSAEncryption
3a:a6:56:b7:56:ce:f0:ed:e6:ba:d7:1c:31:9d:ff:3d:67:88:
f3:6c:d8:c9:28:42:06:b7:66:2b:39:c6:0b:c4:0a:b2:1d:5e:
f6:4f:4b:30:65:1c:71:4e:a8:89:03:2a:28:45:ca:10:f6:dd:
34:7e:1a:e2:51:a5:c6:32:46:b5:7d:6d:da:2e:ef:51:73:0d:
11:f4:eb:2d:82:4f:22:82:50:fc:ad:be:45:f3:32:96:eb:11:
88:6b:a6:62:3d:3f:7b:a9:b5:d8:af:a4:40:03:00:05:cf:fa:
6b:6a:41:d1:7c:26:6e:66:b0:5a:36:9c:d2:b5:c4:c7:a2:c2:
ce:3a:27:6a:e9:35:18:54:0d:52:05:30:fc:57:74:68:43:ea:
9b:bb:39:d8:b2:81:e8:8a:b6:f2:31:36:81:f4:b7:16:16:1c:
ff:e5:e2:d5:23:78:e2:13:26:8e:31:1e:e1:9f:fd:d2:b7:20:
d4:75:a4:74:32:c3:e9:25:b7:d5:1d:ab:e8:d6:ea:80:13:58:
77:e1:f5:d7:dd:b0:3d:ca:bc:4c:24:40:ff:2d:d2:15:12:97:
56:ed:04:87:aa:85:98:89:b4:f3:ce:32:67:de:43:80:36:fd:
b5:32:2a:69:fb:4d:65:f8:fb:be:fa:08:d1:3b:a6:12:28:46:
34:31:24:1a


Replacing SSLCACertificateFile with SSLCertificateChainFile in the vhosts file, and starting Apache gives these log messages:



[Thu May 03 17:39:52.296052 2018] [ssl:info] [pid 6048] AH02200: Loading certificate & private key of SSL-aware server 'owncloud.domain.com:443'
[Thu May 03 17:39:52.296536 2018] [ssl:debug] [pid 6048] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu May 03 17:39:52.296856 2018] [ssl:info] [pid 6048] AH01914: Configuring server owncloud.domain.com:443 for SSL protocol
[Thu May 03 17:39:52.297384 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(872): AH01904: Configuring server certificate chain (3 CA certificates)
[Thu May 03 17:39:52.297399 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu May 03 17:39:52.297413 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[Thu May 03 17:39:52.297509 2018] [ssl:warn] [pid 6048] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu May 03 17:39:52.297599 2018] [ssl:debug] [pid 6048] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443] Cert does not match for name 'owncloud.domain.com' [subject: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 7B1C / notbefore: Jul 4 10:13:52 2014 GMT / notafter: Jul 4 10:13:52 2015 GMT]
[Thu May 03 17:39:52.297612 2018] [ssl:warn] [pid 6048] AH01909: RSA certificate configured for owncloud.domain.com:443 does NOT include an ID which matches the server name
[Thu May 03 17:39:52.297621 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[Thu May 03 17:39:52.297649 2018] [ssl:emerg] [pid 6048] AH02238: Unable to configure RSA server private key
[Thu May 03 17:39:52.297667 2018] [ssl:emerg] [pid 6048] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


In effect, not much has changed, as Apache still won't start.



As requested, the first few lines of the private key file:



-----BEGIN PRIVATE KEY-----
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDCcib4fqnUYaGV
mzy6h6e6EUonHY+WeqkwygWV/zwZEcto9pKMyv5ZSYRPTsW4/e3glPMXBlbxIzhj
6f1W76AP8nYplcWJLuj/Qn+JHfaA7nlCHUehtA2Vcut9AuVnvutZZyA3fp+EySXv
Mu8/RhKjXx0C8Zm6vvGKJczw4MSP8JlUtYs+KoXXzVsTbrLCgLBYf0+JUoKBU9s4
Um37cMk8ziRKYZDjsYtKe1D7hA6A3sWZp7czidK7jGH2OoWVHrj46pTo/koxhJpV






share|improve this question













I know this issue has been raised before, and I have searched through all the answers and tried all of the suggestions, none of which solved my problem, so I'll ask for assistance in a new thread.



I have installed and configured a new CentOS7 system, to replace one that got too outdated. It primarily exists to serve up a copy of ownCloud on my network. The previous system worked perfectly, and was configured with an SSL certificate. I have copied over the vhosts.conf file, the certificate files, the key file, and set up ownCloud in the same configuration as I had on the previous system.



However, when I start up Apache, it fails and logs these errors:



[ssl:info] [pid 4787] AH02200: Loading certificate & private key of SSL-aware server 'owncloud.domain.com:443'
[ssl:debug] [pid 4787] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[ssl:info] [pid 4787] AH01914: Configuring server owncloud.domain.com:443 for SSL protocol
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
[ssl:debug] [pid 4787] ssl_engine_init.c(1536): AH02209: CA certificate: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
[ssl:debug] [pid 4787] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[ssl:debug] [pid 4787] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[ssl:warn] [pid 4787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[ssl:debug] [pid 4787] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443] Cert does not match for name 'owncloud.domain.com' [subject: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 7B1C / notbefore: Jul 4 10:13:52 2014 GMT / notafter: Jul 4 10:13:52 2015 GMT]
[ssl:warn] [pid 4787] AH01909: RSA certificate configured for owncloud.domain.com:443 does NOT include an ID which matches the server name
[ssl:debug] [pid 4787] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[ssl:emerg] [pid 4787] AH02238: Unable to configure RSA server private key
[ssl:emerg] [pid 4787] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


The certificate in question is not self-generated -- it is a purchased commercial certificate and was working perfectly on the previous system. Both systems used the same server name, the same IP address and the same vhosts.conf.



The httpd.conf specifies that Apache should listen on both ports 80 and 443.



The vhosts.conf file is:



<VirtualHost *:443>
DocumentRoot /var/www/html/owncloud
ServerName owncloud.domain.com
ServerAlias www.owncloud.domain.com
Header always add Strict-Transport-Security "max-age=15768000"
ErrorLog logs/owncloud.domain.com-ssl-error_log
CustomLog logs/owncloud.domain.com-ssl-access_log common
<Directory /var/www/html/owncloud >
AllowOverride All
</Directory>

SSLEngine On
SSLProtocol -ALL -SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/pki/tls/certs/owncloud_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/owncloud.key
SSLCACertificateFile /etc/pki/tls/certs/owncloud_bundle.crt
</VirtualHost>

<VirtualHost *:80>
ServerName owncloud.domain.com
Redirect permanent / https://owncloud.domain.com/
</VirtualHost>


The relevant lines from httpd.conf are:



Listen 80
Listen 443
ServerName owncloud.domain.com:443


The rest of the httpd.conf file is pretty much as it was installed by CentOS.



I have used openSSL to test the certificate and key files, using the -modulus argument, and the results from both are identical. I also tested for the text of the server name and it is correct in the certificate file, so it does not appear as if anything has happened to either the certificate or the key. Nothing should have -- I copied all the certificate files to a backup before installing the new system, then put them back.



As I mentioned, I've tried everything I could find via on-line searching, but nothing has worked, so any suggestions would be appreciated.



-- Norm



As requested, here is the output of "openssl x509 -in owncloud_domain_com.crt -text -noout":



Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7c:a7:38:a8:1a:67:2d:e3:b4:13:fa:49:33:e8:27:e6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Sep 12 00:00:00 2013 GMT
Not After : Sep 11 23:59:59 2018 GMT
Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=owncloud.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ca:c8:8d:41:91:c5:0e:ed:86:a4:6a:6f:fb:86:
6c:a5:4d:68:cb:80:51:f3:2e:7f:9c:97:8a:43:a0:
3e:45:7a:cd:83:ad:a6:72:03:98:20:e5:a0:04:a8:
0b:d0:45:e6:62:ec:1d:c0:d7:fa:04:13:30:b5:e8:
40:f7:00:ef:14:19:c2:37:f3:dd:af:87:cc:70:d5:
dd:51:7a:10:17:35:79:5b:0f:86:4e:d8:ce:73:11:
96:d4:00:c8:41:f9:7d:5c:2e:c5:06:6b:4d:04:d6:
11:6a:03:80:11:c5:06:d9:f5:d1:6d:60:2b:a8:3b:
ba:5d:38:0b:1d:dc:dc:48:3d:ae:ef:7b:48:c2:d9:
5c:c2:72:83:46:bc:d2:78:fd:02:cf:a8:b3:99:66:
36:05:9b:89:56:26:96:2c:1c:eb:54:6d:31:39:32:
4d:e9:f0:b9:b1:ca:e3:8d:40:85:03:9a:37:2d:94:
e8:a6:2c:c9:fd:ba:d2:8f:5c:95:63:e4:52:55:f8:
4a:5a:14:af:a1:ba:38:4d:b8:d9:92:28:98:3d:40:
89:e3:43:f1:bc:ea:14:29:3e:40:09:ad:f8:35:29:
80:1b:4d:a4:91:e2:9d:0b:0c:e5:0d:2b:13:a5:07:
82:9a:97:6b:6f:b1:69:c5:4d:c1:1b:11:cd:07:2c:
38:eb:e7:bb:93:2f:57:aa:a1:38:bb:b7:70:5c:89:
6d:47:d8:e0:6d:1b:9e:60:50:83:b6:93:49:36:7e:
57:c8:c8:2a:f7:30:cb:ee:a5:f5:e7:0c:f3:6f:1a:
82:54:a2:20:49:f5:68:c4:f1:c2:7b:0e:29:28:a8:
2c:9c:52:f4:5f:39:25:2f:fe:f4:ea:7e:92:cc:95:
c9:a5:92:2a:06:8e:9c:00:d0:c1:1c:52:e0:fb:42:
1b:fe:8c:ef:49:82:9a:55:74:5b:95:e1:ec:a6:6f:
96:e6:ae:0d:d9:be:24:db:4e:cc:e0:2d:a3:61:cb:
2a:e3:67:81:6f:5a:72:80:7c:0f:1b:e0:8b:ad:9e:
e2:6a:f7:32:0b:78:c1:ca:ac:38:97:7a:76:53:0f:
9d:12:49:5b:ab:d9:ea:b9:ca:cb:8d:e1:fa:bd:f8:
11:05:05:c7:90:f0:4e:f3:81:75:57:4a:3e:2a:3a:
10:65:34:ea:1c:c0:18:68:bb:f9:0a:6e:ee:fe:73:
16:6d:1f:e8:2c:bf:91:3d:df:26:98:93:8d:88:52:
04:7d:46:ab:eb:6f:e0:9f:1d:f9:ed:b2:75:dc:d8:
eb:61:69:14:83:12:82:09:75:c5:5a:51:a4:2d:17:
fa:ce:66:16:11:bd:5a:a8:ea:9e:af:b3:06:03:86:
5e:fb:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

X509v3 Subject Key Identifier:
8C:70:79:27:C0:EE:36:6F:23:58:2E:46:2B:A6:A7:DE:E3:39:99:B1
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
CPS: https://secure.comodo.net/CPS
Policy: 2.23.140.1.2.1

X509v3 CRL Distribution Points:

Full Name:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com

X509v3 Subject Alternative Name:
DNS:owncloud.domain.com, DNS:www.owncloud.domain.com
Signature Algorithm: sha256WithRSAEncryption
3a:a6:56:b7:56:ce:f0:ed:e6:ba:d7:1c:31:9d:ff:3d:67:88:
f3:6c:d8:c9:28:42:06:b7:66:2b:39:c6:0b:c4:0a:b2:1d:5e:
f6:4f:4b:30:65:1c:71:4e:a8:89:03:2a:28:45:ca:10:f6:dd:
34:7e:1a:e2:51:a5:c6:32:46:b5:7d:6d:da:2e:ef:51:73:0d:
11:f4:eb:2d:82:4f:22:82:50:fc:ad:be:45:f3:32:96:eb:11:
88:6b:a6:62:3d:3f:7b:a9:b5:d8:af:a4:40:03:00:05:cf:fa:
6b:6a:41:d1:7c:26:6e:66:b0:5a:36:9c:d2:b5:c4:c7:a2:c2:
ce:3a:27:6a:e9:35:18:54:0d:52:05:30:fc:57:74:68:43:ea:
9b:bb:39:d8:b2:81:e8:8a:b6:f2:31:36:81:f4:b7:16:16:1c:
ff:e5:e2:d5:23:78:e2:13:26:8e:31:1e:e1:9f:fd:d2:b7:20:
d4:75:a4:74:32:c3:e9:25:b7:d5:1d:ab:e8:d6:ea:80:13:58:
77:e1:f5:d7:dd:b0:3d:ca:bc:4c:24:40:ff:2d:d2:15:12:97:
56:ed:04:87:aa:85:98:89:b4:f3:ce:32:67:de:43:80:36:fd:
b5:32:2a:69:fb:4d:65:f8:fb:be:fa:08:d1:3b:a6:12:28:46:
34:31:24:1a


Replacing SSLCACertificateFile with SSLCertificateChainFile in the vhosts file, and starting Apache gives these log messages:



[Thu May 03 17:39:52.296052 2018] [ssl:info] [pid 6048] AH02200: Loading certificate & private key of SSL-aware server 'owncloud.domain.com:443'
[Thu May 03 17:39:52.296536 2018] [ssl:debug] [pid 6048] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu May 03 17:39:52.296856 2018] [ssl:info] [pid 6048] AH01914: Configuring server owncloud.domain.com:443 for SSL protocol
[Thu May 03 17:39:52.297384 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(872): AH01904: Configuring server certificate chain (3 CA certificates)
[Thu May 03 17:39:52.297399 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu May 03 17:39:52.297413 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[Thu May 03 17:39:52.297509 2018] [ssl:warn] [pid 6048] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu May 03 17:39:52.297599 2018] [ssl:debug] [pid 6048] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443] Cert does not match for name 'owncloud.domain.com' [subject: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / issuer: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- / serial: 7B1C / notbefore: Jul 4 10:13:52 2014 GMT / notafter: Jul 4 10:13:52 2015 GMT]
[Thu May 03 17:39:52.297612 2018] [ssl:warn] [pid 6048] AH01909: RSA certificate configured for owncloud.domain.com:443 does NOT include an ID which matches the server name
[Thu May 03 17:39:52.297621 2018] [ssl:debug] [pid 6048] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[Thu May 03 17:39:52.297649 2018] [ssl:emerg] [pid 6048] AH02238: Unable to configure RSA server private key
[Thu May 03 17:39:52.297667 2018] [ssl:emerg] [pid 6048] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


In effect, not much has changed, as Apache still won't start.



As requested, the first few lines of the private key file:



-----BEGIN PRIVATE KEY-----
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDCcib4fqnUYaGV
mzy6h6e6EUonHY+WeqkwygWV/zwZEcto9pKMyv5ZSYRPTsW4/e3glPMXBlbxIzhj
6f1W76AP8nYplcWJLuj/Qn+JHfaA7nlCHUehtA2Vcut9AuVnvutZZyA3fp+EySXv
Mu8/RhKjXx0C8Zm6vvGKJczw4MSP8JlUtYs+KoXXzVsTbrLCgLBYf0+JUoKBU9s4
Um37cMk8ziRKYZDjsYtKe1D7hA6A3sWZp7czidK7jGH2OoWVHrj46pTo/koxhJpV








share|improve this question












share|improve this question




share|improve this question








edited May 4 at 15:05
























asked May 3 at 20:05









npowroz

84




84











  • Nope, no chroot. It's all pretty plain vanilla.
    – npowroz
    May 3 at 21:31










  • Can you replace SSLCACertificateFile by SSLCertificateChainFile and (re)start Apache?
    – Rui F Ribeiro
    May 3 at 21:34










  • results added to the main question
    – npowroz
    May 3 at 21:48










  • As I mentioned, this all worked perfectly on the previous incarnation of this server, which is one of the reasons why I'm stumped.
    – npowroz
    May 3 at 22:02






  • 1




    Well, the comments in the httpd.conf file specifically say that there should be a ServerName, but taking it out didn't make any difference.
    – npowroz
    May 3 at 22:19
















  • Nope, no chroot. It's all pretty plain vanilla.
    – npowroz
    May 3 at 21:31










  • Can you replace SSLCACertificateFile by SSLCertificateChainFile and (re)start Apache?
    – Rui F Ribeiro
    May 3 at 21:34










  • results added to the main question
    – npowroz
    May 3 at 21:48










  • As I mentioned, this all worked perfectly on the previous incarnation of this server, which is one of the reasons why I'm stumped.
    – npowroz
    May 3 at 22:02






  • 1




    Well, the comments in the httpd.conf file specifically say that there should be a ServerName, but taking it out didn't make any difference.
    – npowroz
    May 3 at 22:19















Nope, no chroot. It's all pretty plain vanilla.
– npowroz
May 3 at 21:31




Nope, no chroot. It's all pretty plain vanilla.
– npowroz
May 3 at 21:31












Can you replace SSLCACertificateFile by SSLCertificateChainFile and (re)start Apache?
– Rui F Ribeiro
May 3 at 21:34




Can you replace SSLCACertificateFile by SSLCertificateChainFile and (re)start Apache?
– Rui F Ribeiro
May 3 at 21:34












results added to the main question
– npowroz
May 3 at 21:48




results added to the main question
– npowroz
May 3 at 21:48












As I mentioned, this all worked perfectly on the previous incarnation of this server, which is one of the reasons why I'm stumped.
– npowroz
May 3 at 22:02




As I mentioned, this all worked perfectly on the previous incarnation of this server, which is one of the reasons why I'm stumped.
– npowroz
May 3 at 22:02




1




1




Well, the comments in the httpd.conf file specifically say that there should be a ServerName, but taking it out didn't make any difference.
– npowroz
May 3 at 22:19




Well, the comments in the httpd.conf file specifically say that there should be a ServerName, but taking it out didn't make any difference.
– npowroz
May 3 at 22:19










1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted










Your openssl x509 -in owncloud_domain_com.crt -text -noout output says that the certificate is not a CA certificate and that it should be valid from September 2013 to September 2018.



However, Apache's messages seem to talk about some other certificate:



[ssl:warn] [pid 4787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)


...and here (line wrapped for readability):



[ssl:debug] [pid 4787] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443]
Cert does not match for name 'owncloud.domain.com'
[subject: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,
OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- /
issuer: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,
OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- /
serial: 7B1C / notbefore: Jul 4 10:13:52 2014 GMT / notafter: Jul 4 10:13:52 2015 GMT]


The certificate Apache is reading has a Common Name of "localhost.localdomain" and it has been expired since July 2015.



This really looks like a default auto-generated "snakeoil" certificate, rather than the certificate you're talking about.



Please run grep -r SSLCertificateFile /etc/httpd and see if remnants of the default configuration are left in any other Apache configuration file. It might be that another SSLCertificateFile directive is overriding the one you've specified in your vhosts.conf.






share|improve this answer





















  • SUCCESS! It turns out that there was an SSLCertificateFile line in the default ssl.conf file that was indeed pointing to the localhost.crt file. This must have been put in place when I installed mod_ssl via yum. I know I looked at the ssl.conf content several times, but must have thought the SSLCertificateFile line would be superseded by my vhosts file. Stupid of me, but Linux isn't my long suit. Thanks very much to everyone who contributed to this frustrating issue. Cheers Norm
    – npowroz
    May 4 at 16:39










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f441648%2fcentos7-apache-rsa-certificate-does-not-include-an-id-which-matches-the-server%23new-answer', 'question_page');

);

Post as a guest






























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote



accepted










Your openssl x509 -in owncloud_domain_com.crt -text -noout output says that the certificate is not a CA certificate and that it should be valid from September 2013 to September 2018.



However, Apache's messages seem to talk about some other certificate:



[ssl:warn] [pid 4787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)


...and here (line wrapped for readability):



[ssl:debug] [pid 4787] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443]
Cert does not match for name 'owncloud.domain.com'
[subject: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,
OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- /
issuer: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,
OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- /
serial: 7B1C / notbefore: Jul 4 10:13:52 2014 GMT / notafter: Jul 4 10:13:52 2015 GMT]


The certificate Apache is reading has a Common Name of "localhost.localdomain" and it has been expired since July 2015.



This really looks like a default auto-generated "snakeoil" certificate, rather than the certificate you're talking about.



Please run grep -r SSLCertificateFile /etc/httpd and see if remnants of the default configuration are left in any other Apache configuration file. It might be that another SSLCertificateFile directive is overriding the one you've specified in your vhosts.conf.






share|improve this answer





















  • SUCCESS! It turns out that there was an SSLCertificateFile line in the default ssl.conf file that was indeed pointing to the localhost.crt file. This must have been put in place when I installed mod_ssl via yum. I know I looked at the ssl.conf content several times, but must have thought the SSLCertificateFile line would be superseded by my vhosts file. Stupid of me, but Linux isn't my long suit. Thanks very much to everyone who contributed to this frustrating issue. Cheers Norm
    – npowroz
    May 4 at 16:39














up vote
1
down vote



accepted










Your openssl x509 -in owncloud_domain_com.crt -text -noout output says that the certificate is not a CA certificate and that it should be valid from September 2013 to September 2018.



However, Apache's messages seem to talk about some other certificate:



[ssl:warn] [pid 4787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)


...and here (line wrapped for readability):



[ssl:debug] [pid 4787] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443]
Cert does not match for name 'owncloud.domain.com'
[subject: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,
OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- /
issuer: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,
OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- /
serial: 7B1C / notbefore: Jul 4 10:13:52 2014 GMT / notafter: Jul 4 10:13:52 2015 GMT]


The certificate Apache is reading has a Common Name of "localhost.localdomain" and it has been expired since July 2015.



This really looks like a default auto-generated "snakeoil" certificate, rather than the certificate you're talking about.



Please run grep -r SSLCertificateFile /etc/httpd and see if remnants of the default configuration are left in any other Apache configuration file. It might be that another SSLCertificateFile directive is overriding the one you've specified in your vhosts.conf.






share|improve this answer





















  • SUCCESS! It turns out that there was an SSLCertificateFile line in the default ssl.conf file that was indeed pointing to the localhost.crt file. This must have been put in place when I installed mod_ssl via yum. I know I looked at the ssl.conf content several times, but must have thought the SSLCertificateFile line would be superseded by my vhosts file. Stupid of me, but Linux isn't my long suit. Thanks very much to everyone who contributed to this frustrating issue. Cheers Norm
    – npowroz
    May 4 at 16:39












up vote
1
down vote



accepted







up vote
1
down vote



accepted






Your openssl x509 -in owncloud_domain_com.crt -text -noout output says that the certificate is not a CA certificate and that it should be valid from September 2013 to September 2018.



However, Apache's messages seem to talk about some other certificate:



[ssl:warn] [pid 4787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)


...and here (line wrapped for readability):



[ssl:debug] [pid 4787] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443]
Cert does not match for name 'owncloud.domain.com'
[subject: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,
OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- /
issuer: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,
OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- /
serial: 7B1C / notbefore: Jul 4 10:13:52 2014 GMT / notafter: Jul 4 10:13:52 2015 GMT]


The certificate Apache is reading has a Common Name of "localhost.localdomain" and it has been expired since July 2015.



This really looks like a default auto-generated "snakeoil" certificate, rather than the certificate you're talking about.



Please run grep -r SSLCertificateFile /etc/httpd and see if remnants of the default configuration are left in any other Apache configuration file. It might be that another SSLCertificateFile directive is overriding the one you've specified in your vhosts.conf.






share|improve this answer













Your openssl x509 -in owncloud_domain_com.crt -text -noout output says that the certificate is not a CA certificate and that it should be valid from September 2013 to September 2018.



However, Apache's messages seem to talk about some other certificate:



[ssl:warn] [pid 4787] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)


...and here (line wrapped for readability):



[ssl:debug] [pid 4787] ssl_util_ssl.c(489): AH02412: [owncloud.domain.com:443]
Cert does not match for name 'owncloud.domain.com'
[subject: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,
OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- /
issuer: emailAddress=root@localhost.localdomain,CN=localhost.localdomain,
OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- /
serial: 7B1C / notbefore: Jul 4 10:13:52 2014 GMT / notafter: Jul 4 10:13:52 2015 GMT]


The certificate Apache is reading has a Common Name of "localhost.localdomain" and it has been expired since July 2015.



This really looks like a default auto-generated "snakeoil" certificate, rather than the certificate you're talking about.



Please run grep -r SSLCertificateFile /etc/httpd and see if remnants of the default configuration are left in any other Apache configuration file. It might be that another SSLCertificateFile directive is overriding the one you've specified in your vhosts.conf.







share|improve this answer













share|improve this answer



share|improve this answer











answered May 4 at 16:15









telcoM

10.2k11032




10.2k11032











  • SUCCESS! It turns out that there was an SSLCertificateFile line in the default ssl.conf file that was indeed pointing to the localhost.crt file. This must have been put in place when I installed mod_ssl via yum. I know I looked at the ssl.conf content several times, but must have thought the SSLCertificateFile line would be superseded by my vhosts file. Stupid of me, but Linux isn't my long suit. Thanks very much to everyone who contributed to this frustrating issue. Cheers Norm
    – npowroz
    May 4 at 16:39
















  • SUCCESS! It turns out that there was an SSLCertificateFile line in the default ssl.conf file that was indeed pointing to the localhost.crt file. This must have been put in place when I installed mod_ssl via yum. I know I looked at the ssl.conf content several times, but must have thought the SSLCertificateFile line would be superseded by my vhosts file. Stupid of me, but Linux isn't my long suit. Thanks very much to everyone who contributed to this frustrating issue. Cheers Norm
    – npowroz
    May 4 at 16:39















SUCCESS! It turns out that there was an SSLCertificateFile line in the default ssl.conf file that was indeed pointing to the localhost.crt file. This must have been put in place when I installed mod_ssl via yum. I know I looked at the ssl.conf content several times, but must have thought the SSLCertificateFile line would be superseded by my vhosts file. Stupid of me, but Linux isn't my long suit. Thanks very much to everyone who contributed to this frustrating issue. Cheers Norm
– npowroz
May 4 at 16:39




SUCCESS! It turns out that there was an SSLCertificateFile line in the default ssl.conf file that was indeed pointing to the localhost.crt file. This must have been put in place when I installed mod_ssl via yum. I know I looked at the ssl.conf content several times, but must have thought the SSLCertificateFile line would be superseded by my vhosts file. Stupid of me, but Linux isn't my long suit. Thanks very much to everyone who contributed to this frustrating issue. Cheers Norm
– npowroz
May 4 at 16:39












 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f441648%2fcentos7-apache-rsa-certificate-does-not-include-an-id-which-matches-the-server%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?