Since you were given a CA file, you might even need to use that as well using the --ssl-ca-certificate-file option at same time as other options. If the CA issuer wasn't a public authority that could be required.
This is for self signed and thus where need the CA, but example in: https://gist.github.com/GrahamDumpleton/b79d336569054882679e Graham > On 22 Nov 2021, at 6:23 pm, Graham Dumpleton <[email protected]> > wrote: > > Another way to verify is shown in: > > https://serverfault.com/questions/578061/rsa-certificate-configured-for-server-does-not-include-an-id-which-matches-the-s > > <https://serverfault.com/questions/578061/rsa-certificate-configured-for-server-does-not-include-an-id-which-matches-the-s> > > openssl x509 -in server.crt -noout -subject > > Does that also confirm the expected value? > > Also, what happens if you use standard https port of 443 rather than 8443? > > Also do a Google search for other ideas, by searching for: > > AH01909 RSA certificate configured for does NOT include an ID which > matches the server name > > Finally, what happens if you actually try and access the web site? I don't > recollect you saying even what happens if you do. > > Graham > >> On 22 Nov 2021, at 5:48 pm, Shetu <[email protected] >> <mailto:[email protected]>> wrote: >> >> I verified the server name in the certificate and it is correct >> >> On Monday, November 22, 2021 at 11:57:35 AM UTC+5:30 Graham Dumpleton wrote: >> Verify what hostname is set in the certificate. >> >> https://support.qacafe.com/knowledge-base/how-do-i-display-the-contents-of-a-ssl-certificate/ >> >> <https://support.qacafe.com/knowledge-base/how-do-i-display-the-contents-of-a-ssl-certificate/> >> >> Probably the "Subject Alternative Name" setting, but then I am not an expert >> on how these things are supposed to look, so that is a guess. >> >> >>> On 22 Nov 2021, at 5:24 pm, Shetu <[email protected] >>> <applewebdata://EEBB5E34-99B7-4F7E-88B8-630AAE660924>> wrote: >>> >> >>> If I remove host parameter, the application still runs on >>> www.server_name.com:8443 <http://www.server_name.com:8443/> and I still get >>> the warning:- >>> --> RSA certificate configured for ?.?.?.?:8443 does NOT include an ID >>> which matches the server name >>> >>> >>> On Monday, November 22, 2021 at 11:13:21 AM UTC+5:30 Graham Dumpleton wrote: >>> And what happens if you use: >>> >>> /manage.py runmodwsgi --https-only --https-port 8443 --server-name >>> my_server_name.com <http://my_server_name.com/> --ssl-certificate-key-file >>> /apps/django_app/keystore/host_name.key --ssl-certificate-file >>> /apps/django_app/keystore/server_name.crt >>> >>> The --host argument shouldn't be necessary as it would listen on all host >>> interfaces anyway. >>> >>> If you still get warning: >>> >>> > RSA certificate configured for ?.?.?.?:8443 does NOT include an ID which >>> > matches the server name >>> >>> it would suggest the certificate you were given is not for the host >>> "my_server_name.com <http://my_server_name.com/>" that you are giving as >>> argument to --server-name. >>> >>> >>>> On 22 Nov 2021, at 4:34 pm, Shetu <[email protected] <>> wrote: >>>> >>> >>>> Hi Graham, >>>> >>>> I extracted the private key into .key file. The application is running on >>>> www.server_name.com:8443 <http://www.server_name.com:8443/>. I added >>>> --host parameter also to the mod_wsgi startup command to see whether it >>>> runs or not on https port if I use ip address of the server instead of >>>> server_name in the url but it does not work. I am getting this warning in >>>> the logs:- >>>> >>>> [Mon Nov 22 05:16:19 2021] [ip AH01909: RSA certificate configured for >>>> 0.0.0.0:8443 <http://0.0.0.0:8443/> does NOT include an ID which matches >>>> the server name >>>> [Mon Nov 22 05:16:19 2021] [ip AH02292: Init: Name-based SSL virtual hosts >>>> only work for clients with TLS server name indication support (RFC 4366) >>>> [Mon Nov 22 05:16:19 2021] [ip AH01873: Init: Session Cache is not >>>> configured [hint: SSLSessionCache] >>>> [Mon Nov 22 05:16:19 2021] [ip AH01909: RSA certificate configured for >>>> 0.0.0.0:8443 <http://0.0.0.0:8443/> does NOT include an ID which matches >>>> the server name >>>> [Mon Nov 22 05:16:19 2021] [ip AH02292: Init: Name-based SSL virtual hosts >>>> only work for clients with TLS server name indication support (RFC 4366) >>>> [Mon Nov 22 05:16:19 2021] [ip AH00489: Apache/2.4.46 (Unix) >>>> mod_wsgi/4.7.1 Python/3.6 OpenSSL/1.0.2k-fips configured -- resuming >>>> normal operations >>>> >>>> Here is the mod_wsgi startup command:- >>>> >>>> /manage.py runmodwsgi --https-only --https-port 8443 --host 0.0.0.0 >>>> --server-name my_server_name.com <http://my_server_name.com/> >>>> --ssl-certificate-key-file /apps/django_app/keystore/host_name.key >>>> --ssl-certificate-file /apps/django_app/keystore/server_name.crt >>>> >>>> Will this configuration work if I assign a DNS to this host or do I need >>>> to add some more configuration here since it does not work with ip >>>> address? Also if I remove --server-name from the command and just keep >>>> --host, it does not work. >>>> >>>> Regards, >>>> Shetu >>>> >>>> >>>> On Friday, November 19, 2021 at 12:59:09 PM UTC+5:30 Graham Dumpleton >>>> wrote: >>>> It is not uncommon to have files in a different format to what is required >>>> and you need to convert and even possibly extract out just the private key >>>> from a file which contains multiple things. You are going to need to look >>>> at docs for your certificate authority to understand what is the private >>>> key or how to extract/convert it to what Apache wants from what you have >>>> been given. >>>> >>>> You want the file necessary for SSLCertificateKeyFile directive in Apache. >>>> >>>> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatekeyfile >>>> <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatekeyfile> >>>> >>>> Graham >>>> >>>> >>>>> On 19 Nov 2021, at 6:16 pm, Shetu <shet...@ <>gmail.com >>>>> <http://gmail.com/>> wrote: >>>>> >>>> >>>>> I have the following set of keys and certificates which I got from the >>>>> certificate authority:- >>>>> >>>>> host_name.csr >>>>> server_name.crt >>>>> Intermediate-CA.pem >>>>> ROOT-CA.pem >>>>> host_name.keystore.original >>>>> host_name.keystore >>>>> >>>>> I have set the key file as the .pem file but still getting this error:- >>>>> >>>>> [Fri Nov 19 07:10:33 2021] [ip AH02203: Init: Private key not found >>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D0680A8:asn1 >>>>> encoding routines:ASN1_CHECK_TLEN:wrong tag >>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D08303A:asn1 >>>>> encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error >>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D0680A8:asn1 >>>>> encoding routines:ASN1_CHECK_TLEN:wrong tag >>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D07803A:asn1 >>>>> encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA) >>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:04093004:rsa >>>>> routines:OLD_RSA_PRIV_DECODE:RSA lib >>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D0680A8:asn1 >>>>> encoding routines:ASN1_CHECK_TLEN:wrong tag >>>>> [Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D07803A:asn1 >>>>> encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error >>>>> (Type=PKCS8_PRIV_KEY_INFO) >>>>> [Fri Nov 19 07:10:33.592064 2021] [ssl:emerg] [pid 18369:tid >>>>> 140598354167616] AH02312: Fatal error initialising mod_ssl, exiting. >>>>> >>>>> >>>>> >>>>> On Friday, November 19, 2021 at 12:38:14 PM UTC+5:30 Graham Dumpleton >>>>> wrote: >>>>> Are you sure you are using the correct file for the private key? I have >>>>> never seen a convention of the private key file having a '.keystore' >>>>> extension. Would usually be a .pem file extension. >>>>> >>>>> Graham >>>>> >>>>> >>>>>> On 19 Nov 2021, at 6:05 pm, Shetu <shet...@ <>gmail.com >>>>>> <http://gmail.com/>> wrote: >>>>>> >>>>> >>>>>> Getting these errors :- >>>>>> [Fri Nov 19 06:57:36 2021] [ip AH02203: Init: Private key not found >>>>>> [Fri Nov 19 06:57:36 2021] [ip SSL Library Error: error:0D07207B:asn1 >>>>>> encoding routines:ASN1_get_object:header too long >>>>>> [Fri Nov 19 06:57:36.717374 2021] [ssl:emerg] [pid 12557:tid >>>>>> 139779757414208] AH02312: Fatal error initialising mod_ssl, exiting. >>>>>> >>>>>> >>>>>> I have also added the server name in the command >>>>>> >>>>>> On Friday, November 19, 2021 at 12:10:21 PM UTC+5:30 Graham Dumpleton >>>>>> wrote: >>>>>> What are the error messages you are getting and where? >>>>>> >>>>>> Also be aware you must supply the --server-name option with the hostname >>>>>> of the site which matches what you set in the certificate. >>>>>> >>>>>> >>>>>>> On 19 Nov 2021, at 5:36 pm, Shetu <shet...@ <>gmail.com >>>>>>> <http://gmail.com/>> wrote: >>>>>>> >>>>>> >>>>>>> Hi Graham, >>>>>>> >>>>>>> I am using modwsgi express to run my Django application on mod_wsgi >>>>>>> Apache server. I am not able to start my server on https port although >>>>>>> it works on http port. >>>>>>> >>>>>>> This is the command I used to start the server(mentioned only https and >>>>>>> ssl parameters) >>>>>>> >>>>>>> ./manage.py runmodwsgi --https-only --https-port 8443 >>>>>>> --ssl-certificate-key-file >>>>>>> /apps/django_app/keystore/server_name.keystore >>>>>>> --ssl-certificate-file /apps/django_app/keystore/server_name.crt >>>>>>> >>>>>>> Please let me know where I may be going wrong. >>>>>>> >>>>>>> Regards, >>>>>>> Shetu >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "modwsgi" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>>> an email to modwsgi+u...@ <>googlegroups.com <http://googlegroups.com/>. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/d/msgid/modwsgi/e7ccbe41-a58f-44db-852a-fd1e618a99bfn%40googlegroups.com >>>>>>> >>>>>>> <https://groups.google.com/d/msgid/modwsgi/e7ccbe41-a58f-44db-852a-fd1e618a99bfn%40googlegroups.com?utm_medium=email&utm_source=footer>. >>>>>> >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "modwsgi" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>> an email to modwsgi+u...@ <>googlegroups.com <http://googlegroups.com/>. >>>>> >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/modwsgi/f087841a-360e-489b-b3bd-6ff915a666dfn%40googlegroups.com >>>>>> >>>>>> <https://groups.google.com/d/msgid/modwsgi/f087841a-360e-489b-b3bd-6ff915a666dfn%40googlegroups.com?utm_medium=email&utm_source=footer>. >>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "modwsgi" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>> email to modwsgi+u...@ <>googlegroups.com <http://googlegroups.com/>. >>>> >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/modwsgi/4a18ebc9-4dd1-4c91-b0cd-08d7909197bcn%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/modwsgi/4a18ebc9-4dd1-4c91-b0cd-08d7909197bcn%40googlegroups.com?utm_medium=email&utm_source=footer>. >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google Groups >>>> "modwsgi" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected] <>. >>> >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/modwsgi/aa80e74d-4e9d-4fb7-ba6a-9804d9466215n%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/modwsgi/aa80e74d-4e9d-4fb7-ba6a-9804d9466215n%40googlegroups.com?utm_medium=email&utm_source=footer>. >>> >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "modwsgi" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected] >>> <applewebdata://EEBB5E34-99B7-4F7E-88B8-630AAE660924>. >> >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/modwsgi/0b58a925-c33c-4db8-a990-6fcff951ba26n%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/modwsgi/0b58a925-c33c-4db8-a990-6fcff951ba26n%40googlegroups.com?utm_medium=email&utm_source=footer>. >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <mailto:[email protected]>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/modwsgi/2be043e6-6549-47cb-8153-019f6edc8737n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/modwsgi/2be043e6-6549-47cb-8153-019f6edc8737n%40googlegroups.com?utm_medium=email&utm_source=footer>. > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/EB39B83D-5429-4224-B3A3-C7E7433AD439%40gmail.com.
