Greetings All,
After much scouring of the web (modssl mailing list
archives, newsgroups, websites) I can't seem to find a resolution to my
problem. I've built apache_1.3.33, mod_ssl-2.8.22-1.3.33 and mm-1.3.1 as per
the modssl INSTALL doc, section b (the flexible APACI-only way). Modssl is
built and loaded as a DSO. I have a Verisign global certificate that I've
installed, along with the appropriate intermediate certificate
(SSLCertificateChainFile). I have also installed the root CA certs as well
(SSLCACertificateFile).
Here is my problem. When I navigate to the site
(FQDN, not IP), via a browser (IE, Firefox, Mozilla…), I get a Domain Name
Mismatch error reported by the browser. When I view the certificate, it shows
that the CN matches the FQDN of the website, exactly. The website is www.myhost.domain.com and the CN
that I used to create the cert is also www.myhost.domain.com. There is
no mismatch between the FQDN of the site and the CN in the cert, yet the
browser thinks there is. I can do a forward and reverse lookup on the FQDN and
it's corresponding IP and both are correct, so this leads me to believe it's
not a DNS issue. I viewed the cert in IE and checked the certificate path (3rd
tab). The certificate status of all three certs (root, intermediate and my
cert) is reported as 'OK'. The intermediate and root CA's also load with no
errors (verified in the ssl_engine_log). This leads me to believe it's not a
chaining problem. I've also tried creating and signing my own cert for testing
purposes and I have the same issue, so that leads me to believe it's not a
cert issue. I've also verified the csr, cert and key and they all match up.
I'm at a loss here, so any help would be greatly
appreciated. From all my research and what I've read, my error should really
only stem from not using the FQDN of the site when creating the csr, but this
is not the case. I quadruple checked it and I've created test certs as well,
with the same results. Has anyone had a similar problem? Any suggestions on
apache server config? I've even tried it with the most basic SSL options
enabled in my httpd.conf file that would allow the hosting of an SSL enabled
site. Thanks for your time and suggestions!
Regards,
Scott
Haskell
Solaris SA, Merrill Lynch Pro, San
Francisco
If you are not an intended recipient of this e-mail, please notify the
sender, delete it and do not read, act upon, print, disclose, copy, retain or
redistribute it.
Click here for
important additional terms relating to this e-mail.
http://www.ml.com/email_terms/