Another way to verify is shown in:
https://serverfault.com/questions/578061/rsa-certificate-configured-for-server-does-not-include-an-id-which-matches-the-s
<https://serverfault.com/questions/578061/rsa-certificate-configured-for-server-does-not-include-an-id-which-matches-the-s>
openssl x509 -in server.crt -noout -subject
Does that also confirm the expected value?
Also, what happens if you use standard https port of 443 rather than 8443?
Also do a Google search for other ideas, by searching for:
AH01909 RSA certificate configured for does NOT include an ID which matches
the server name
Finally, what happens if you actually try and access the web site? I don't
recollect you saying even what happens if you do.
Graham
> On 22 Nov 2021, at 5:48 pm, Shetu <[email protected]> wrote:
>
> I verified the server name in the certificate and it is correct
>
> On Monday, November 22, 2021 at 11:57:35 AM UTC+5:30 Graham Dumpleton wrote:
> Verify what hostname is set in the certificate.
>
> https://support.qacafe.com/knowledge-base/how-do-i-display-the-contents-of-a-ssl-certificate/
>
> <https://support.qacafe.com/knowledge-base/how-do-i-display-the-contents-of-a-ssl-certificate/>
>
> Probably the "Subject Alternative Name" setting, but then I am not an expert
> on how these things are supposed to look, so that is a guess.
>
>
>> On 22 Nov 2021, at 5:24 pm, Shetu <[email protected]
>> <applewebdata://19A64ADC-FFA8-4072-B79B-54ACD869E5FC>> wrote:
>>
>
>> If I remove host parameter, the application still runs on
>> www.server_name.com:8443 <http://www.server_name.com:8443/> and I still get
>> the warning:-
>> --> RSA certificate configured for ?.?.?.?:8443 does NOT include an ID which
>> matches the server name
>>
>>
>> On Monday, November 22, 2021 at 11:13:21 AM UTC+5:30 Graham Dumpleton wrote:
>> And what happens if you use:
>>
>> /manage.py runmodwsgi --https-only --https-port 8443 --server-name
>> my_server_name.com <http://my_server_name.com/> --ssl-certificate-key-file
>> /apps/django_app/keystore/host_name.key --ssl-certificate-file
>> /apps/django_app/keystore/server_name.crt
>>
>> The --host argument shouldn't be necessary as it would listen on all host
>> interfaces anyway.
>>
>> If you still get warning:
>>
>> > RSA certificate configured for ?.?.?.?:8443 does NOT include an ID which
>> > matches the server name
>>
>> it would suggest the certificate you were given is not for the host
>> "my_server_name.com <http://my_server_name.com/>" that you are giving as
>> argument to --server-name.
>>
>>
>>> On 22 Nov 2021, at 4:34 pm, Shetu <[email protected] <>> wrote:
>>>
>>
>>> Hi Graham,
>>>
>>> I extracted the private key into .key file. The application is running on
>>> www.server_name.com:8443 <http://www.server_name.com:8443/>. I added --host
>>> parameter also to the mod_wsgi startup command to see whether it runs or
>>> not on https port if I use ip address of the server instead of server_name
>>> in the url but it does not work. I am getting this warning in the logs:-
>>>
>>> [Mon Nov 22 05:16:19 2021] [ip AH01909: RSA certificate configured for
>>> 0.0.0.0:8443 <http://0.0.0.0:8443/> does NOT include an ID which matches
>>> the server name
>>> [Mon Nov 22 05:16:19 2021] [ip AH02292: Init: Name-based SSL virtual hosts
>>> only work for clients with TLS server name indication support (RFC 4366)
>>> [Mon Nov 22 05:16:19 2021] [ip AH01873: Init: Session Cache is not
>>> configured [hint: SSLSessionCache]
>>> [Mon Nov 22 05:16:19 2021] [ip AH01909: RSA certificate configured for
>>> 0.0.0.0:8443 <http://0.0.0.0:8443/> does NOT include an ID which matches
>>> the server name
>>> [Mon Nov 22 05:16:19 2021] [ip AH02292: Init: Name-based SSL virtual hosts
>>> only work for clients with TLS server name indication support (RFC 4366)
>>> [Mon Nov 22 05:16:19 2021] [ip AH00489: Apache/2.4.46 (Unix) mod_wsgi/4.7.1
>>> Python/3.6 OpenSSL/1.0.2k-fips configured -- resuming normal operations
>>>
>>> Here is the mod_wsgi startup command:-
>>>
>>> /manage.py runmodwsgi --https-only --https-port 8443 --host 0.0.0.0
>>> --server-name my_server_name.com <http://my_server_name.com/>
>>> --ssl-certificate-key-file /apps/django_app/keystore/host_name.key
>>> --ssl-certificate-file /apps/django_app/keystore/server_name.crt
>>>
>>> Will this configuration work if I assign a DNS to this host or do I need to
>>> add some more configuration here since it does not work with ip address?
>>> Also if I remove --server-name from the command and just keep --host, it
>>> does not work.
>>>
>>> Regards,
>>> Shetu
>>>
>>>
>>> On Friday, November 19, 2021 at 12:59:09 PM UTC+5:30 Graham Dumpleton wrote:
>>> It is not uncommon to have files in a different format to what is required
>>> and you need to convert and even possibly extract out just the private key
>>> from a file which contains multiple things. You are going to need to look
>>> at docs for your certificate authority to understand what is the private
>>> key or how to extract/convert it to what Apache wants from what you have
>>> been given.
>>>
>>> You want the file necessary for SSLCertificateKeyFile directive in Apache.
>>>
>>> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatekeyfile
>>> <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatekeyfile>
>>>
>>> Graham
>>>
>>>
>>>> On 19 Nov 2021, at 6:16 pm, Shetu <shet...@ <>gmail.com
>>>> <http://gmail.com/>> wrote:
>>>>
>>>
>>>> I have the following set of keys and certificates which I got from the
>>>> certificate authority:-
>>>>
>>>> host_name.csr
>>>> server_name.crt
>>>> Intermediate-CA.pem
>>>> ROOT-CA.pem
>>>> host_name.keystore.original
>>>> host_name.keystore
>>>>
>>>> I have set the key file as the .pem file but still getting this error:-
>>>>
>>>> [Fri Nov 19 07:10:33 2021] [ip AH02203: Init: Private key not found
>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D0680A8:asn1
>>>> encoding routines:ASN1_CHECK_TLEN:wrong tag
>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D08303A:asn1
>>>> encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D0680A8:asn1
>>>> encoding routines:ASN1_CHECK_TLEN:wrong tag
>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D07803A:asn1
>>>> encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:04093004:rsa
>>>> routines:OLD_RSA_PRIV_DECODE:RSA lib
>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D0680A8:asn1
>>>> encoding routines:ASN1_CHECK_TLEN:wrong tag
>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D07803A:asn1
>>>> encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
>>>> (Type=PKCS8_PRIV_KEY_INFO)
>>>> [Fri Nov 19 07:10:33.592064 2021] [ssl:emerg] [pid 18369:tid
>>>> 140598354167616] AH02312: Fatal error initialising mod_ssl, exiting.
>>>>
>>>>
>>>>
>>>> On Friday, November 19, 2021 at 12:38:14 PM UTC+5:30 Graham Dumpleton
>>>> wrote:
>>>> Are you sure you are using the correct file for the private key? I have
>>>> never seen a convention of the private key file having a '.keystore'
>>>> extension. Would usually be a .pem file extension.
>>>>
>>>> Graham
>>>>
>>>>
>>>>> On 19 Nov 2021, at 6:05 pm, Shetu <shet...@ <>gmail.com
>>>>> <http://gmail.com/>> wrote:
>>>>>
>>>>
>>>>> Getting these errors :-
>>>>> [Fri Nov 19 06:57:36 2021] [ip AH02203: Init: Private key not found
>>>>> [Fri Nov 19 06:57:36 2021] [ip SSL Library Error: error:0D07207B:asn1
>>>>> encoding routines:ASN1_get_object:header too long
>>>>> [Fri Nov 19 06:57:36.717374 2021] [ssl:emerg] [pid 12557:tid
>>>>> 139779757414208] AH02312: Fatal error initialising mod_ssl, exiting.
>>>>>
>>>>>
>>>>> I have also added the server name in the command
>>>>>
>>>>> On Friday, November 19, 2021 at 12:10:21 PM UTC+5:30 Graham Dumpleton
>>>>> wrote:
>>>>> What are the error messages you are getting and where?
>>>>>
>>>>> Also be aware you must supply the --server-name option with the hostname
>>>>> of the site which matches what you set in the certificate.
>>>>>
>>>>>
>>>>>> On 19 Nov 2021, at 5:36 pm, Shetu <shet...@ <>gmail.com
>>>>>> <http://gmail.com/>> wrote:
>>>>>>
>>>>>
>>>>>> Hi Graham,
>>>>>>
>>>>>> I am using modwsgi express to run my Django application on mod_wsgi
>>>>>> Apache server. I am not able to start my server on https port although
>>>>>> it works on http port.
>>>>>>
>>>>>> This is the command I used to start the server(mentioned only https and
>>>>>> ssl parameters)
>>>>>>
>>>>>> ./manage.py runmodwsgi --https-only --https-port 8443
>>>>>> --ssl-certificate-key-file
>>>>>> /apps/django_app/keystore/server_name.keystore
>>>>>> --ssl-certificate-file /apps/django_app/keystore/server_name.crt
>>>>>>
>>>>>> Please let me know where I may be going wrong.
>>>>>>
>>>>>> Regards,
>>>>>> Shetu
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>> --
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "modwsgi" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>>> an email to modwsgi+u...@ <>googlegroups.com <http://googlegroups.com/>.
>>>>>> To view this discussion on the web visit
>>>>>> https://groups.google.com/d/msgid/modwsgi/e7ccbe41-a58f-44db-852a-fd1e618a99bfn%40googlegroups.com
>>>>>>
>>>>>> <https://groups.google.com/d/msgid/modwsgi/e7ccbe41-a58f-44db-852a-fd1e618a99bfn%40googlegroups.com?utm_medium=email&utm_source=footer>.
>>>>>
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google Groups
>>>>> "modwsgi" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send an
>>>>> email to modwsgi+u...@ <>googlegroups.com <http://googlegroups.com/>.
>>>>
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/d/msgid/modwsgi/f087841a-360e-489b-b3bd-6ff915a666dfn%40googlegroups.com
>>>>>
>>>>> <https://groups.google.com/d/msgid/modwsgi/f087841a-360e-489b-b3bd-6ff915a666dfn%40googlegroups.com?utm_medium=email&utm_source=footer>.
>>>>
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google Groups
>>>> "modwsgi" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send an
>>>> email to modwsgi+u...@ <>googlegroups.com <http://googlegroups.com/>.
>>>
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/modwsgi/4a18ebc9-4dd1-4c91-b0cd-08d7909197bcn%40googlegroups.com
>>>>
>>>> <https://groups.google.com/d/msgid/modwsgi/4a18ebc9-4dd1-4c91-b0cd-08d7909197bcn%40googlegroups.com?utm_medium=email&utm_source=footer>.
>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "modwsgi" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to [email protected] <>.
>>
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/modwsgi/aa80e74d-4e9d-4fb7-ba6a-9804d9466215n%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/modwsgi/aa80e74d-4e9d-4fb7-ba6a-9804d9466215n%40googlegroups.com?utm_medium=email&utm_source=footer>.
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "modwsgi" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected]
>> <applewebdata://19A64ADC-FFA8-4072-B79B-54ACD869E5FC>.
>
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/modwsgi/0b58a925-c33c-4db8-a990-6fcff951ba26n%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/modwsgi/0b58a925-c33c-4db8-a990-6fcff951ba26n%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected]
> <mailto:[email protected]>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/modwsgi/2be043e6-6549-47cb-8153-019f6edc8737n%40googlegroups.com
>
> <https://groups.google.com/d/msgid/modwsgi/2be043e6-6549-47cb-8153-019f6edc8737n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/modwsgi/D7491FE8-AFC1-433E-BE74-8AB842A4FAF6%40gmail.com.
