0

I'm installing SSL certifcate (RapidSSL) on Amazon AWS (Load balancer).

Installation was already completed, but when I test it I get:

Wrong certificate installed.
The domain name does not match the certificate common name or SAN.

Certificate information
Common name: ip-172-XX-XX-XXX
SAN:

My SSL certificate is only for https://app.domain.com, so SSL certificate was made for app.domain.com

Edit: After some test I get:

The certificate is self-signed. Users will receive a warning when accessing         
this site unless the certificate is manually added as a trusted certificate to  
their web browser. You can fix this error by buying a trusted SSL certificate

None of the common names in the certificate match the name that was entered         
(app.domain.com). You may receive an error when accessing this site in a web    
browser. Learn more about name mismatch errors.
Common name: ip-172-XX-XX-XXX
Organization: SomeOrganization
Location: SomeCity, SomeState, --
Valid from July 23, 2014 to July 23, 2015
Serial Number: 218621 (0x5566)
Signature Algorithm: sha256WithRSAEncrypt
Issuer: ip-172-XX-XX-XXX

Edit2: Checking the server I found:

In folder /ssl/certs

localhost.crt //this is the one giving me trouble
ca-bundle.crt
ca-bundle.trust.crt

Should I delete localhost.crt?

Thanks

Diego Sarmiento
  • 183
  • 2
  • 9
  • Are you sure it is the same certificate? It doesn't sound like it based on what is stated in the question. – Håkan Lindqvist Nov 27 '14 at 19:04
  • @HåkanLindqvist I checked it with different tools. The common message is "None of the common names in the certificate match the name that was entered (app.domain.com). You may receive an error when accessing this site in a web browser" – Diego Sarmiento Nov 27 '14 at 20:00
  • 2
    I did not suggest checking with different tools but verifying that you are actually using the certificate you have purchased. You say that you have purchased a certificate for "app.domain.com" but also that the certificate you are using is for "ip-172-XX-XX-XXX"; that does not sound like it's the same certificate. – Håkan Lindqvist Nov 27 '14 at 20:29
  • 1
    Agree with @HåkanLindqvist, it sounds like you are still using an auto-generated, self-signed certificate. The CN value of your certificate should say "*app.domain.com*". – Andrew Domaszek Nov 27 '14 at 21:31
  • @AndrewDomaszek if that's the case, What would you recommend to fix it? – Diego Sarmiento Nov 27 '14 at 22:11

2 Answers2

3

The hostname used in the SubjectCN (optional, but common) and at least one entry in the SubjectAN (mandatory) needs to match the name by which you reference the VirtualHost (whether you gen the VirtualHost by Name (using SNI) or by IP). Additionally, you should have this hostname genned as either the main hostname or an alias in your /etc/hosts. Note, this needs to be the FQDN, as the match must be exact[1].

If the certificate is issued for "app.domain.com", you must have your application listening to and responding to requests for "app.domain.com". For testing purposes, you would benefit to change the hostname as seen by the OS to "app.domain.com" (using the hostname command and setting the "HOSTNAME" param in the "/etc/hostname" file).

1: Note, most Certifying Authorities will not issue a certificate for an unqualified hostname, as they have no way to ensure that the hostname for which they are vouching and staking their relationship truly belongs to the person or organization requesting it without the domain component

DTK
  • 1,688
  • 10
  • 15
0

First: Please don't delete your localhost.crt. If you do, you wont be able to re-start your server and your web page will be offline. If by any chance you do, you have to re-generate a new localhost.crt file from your private key using the following command:

openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/localhost.key > /etc/pki/tls/certs/localhost.crt

Second: If you completed the process of creating a certifcate with your load balancers, you don't need to use AWS IAM or change your ssl.conf file. The step missing is to change your Domain Record Set. If your domain is hosted in AWS, go to Route 53 in the EC2 Management Console and create a record set. It must be a Type A record (not a CNAME), with an alias pointing to your Amazon Load Balancer (check your address in the tab DNS in the panel). The address should be something like:

9999999999.eu-west-1.elb.amazonaws.com
Diego Sarmiento
  • 183
  • 2
  • 9