Apache SSL: server cert does not include ID which matches server name
Okay, I noticed that this post is viewed quite often recently and so it seems that a lot of people are facing the same issue that I did. If so then this might help you.
I have followed a simple step-by-step tutorial to create a SSL-certification for my webserver. Like so many tutorials out there the outcome of the tutorial I followed was a self-signed certificate using OpenSSL. Yep self-signed, that was the problem. The browser could not trust the server due to it's certificate which is signed by itself. Well I wouldn't do either...
A certificate has to be signed by an external trustworthy certificate authority (CA). So I stumbled upon Let's Encrypt which does all the work for you and is even easier to set up and the best is: it is absolutely free.
Installation
1) Delete your old ssl cert files which you have created by using OpenSSL
2) Open backports to get certbot client on Debian. You should know that this will open a hole for unfinished software! Install only the packages when you are aware about what you are doing.
echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/backports.list
3) Update your linux system
sudo apt-get update
4) Install certbot
sudo apt-get install python-certbot-apache -t jessie-backports
5) Set up apache ServerName and ServerAlias
sudo nano /etc/apache2/sites-available/000-default.conf
6) Edit apache config file
<VirtualHost *:80>
. . .
ServerName example.com
ServerAlias www.example.com
. . .
</VirtualHost>
7) Check for a correct syntax
sudo apache2ctl configtest
8) If the config file looks fine, restart apache server
sudo systemctl restart apache2
9) Set up a certificate using certbot and follow the instruction on screen.
sudo certbot --apache
Renewal
All certificates by Let's Encrypt are valid through 3 months. To renew the you can manually run
sudo certbot renew
Or automate this service as a cron job
sudo crontab -e
and enter the following row to invoke a renewal every Monday at 2:30 am.
. . .
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
You can follow a more detailled tutorial here: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8
In my case I have resolved this by replaced in my apache ssl config file for each concerned domain :
ServerName mydomain.com
ServerAlias www.mydomain.com
by :
ServerName www.mydomain.com
ServerAlias mydomain.com
Because my certificate is for "www.mydomain.com" and not for "mydomain.com"
complete apache file :
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName www.mydomain.com
ServerAlias mydomain.com
DocumentRoot /home/mydomain.com/public_html
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
<Directory />
Options +FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/mydomain.com/public_html>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride All
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
If you are seeing no other SSL errors, and if you have tried setting 'LogLevel debug' in the httpd.conf file, this error message can also suggest 'Listen 443' is missing from the httpd.conf file.