Subject CN in certificate not server name or identical to CA - Error

Hello All,

For integrating a payment gateway with the web server, we were using
certificate based authentication. The gateway sends certificate to the
web server for authentication during which we are observing the
following error in Apache ssl logs (enabled to debug mode)

[Mon Jul 21 12:35:14 2008] [info] [client 15.16.17.51] SSL library
error 1 in handshake (server www.mysite.com:5403)
[Mon Jul 21 12:35:14 2008] [info] SSL Library Error: 336151570 error:
14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Subject CN in certificate not server name or identical to CA!?

The web server generated a certificate request with CN set to www.mysite.com
and the same has been signed by an external CA. The signed certificate
is being used as the value for SSLCertificateFile in the Apache SSL
configuration.

In the ssl.conf (Apache) the ServerName is set to www.mysite.com which
is the public name for the site. This name has been added to /etc/
hosts with IP address mapping(192.15.42.1)

The hostname where Apache is running is webserv.gov.in and resolves to
a different IP address.

We are using httpd 2.2 on a CentOS platform. We are almost pulling our
hair from last week. The payment gateway people say other clients who
are using IIS 5.0 aren't facing any issues and only we people(Apache)
are having this issue.

Any pointers/response on this would be of really great help.

Thanks & Regards,

Karthik

On Jul 21, 4:36 pm, dkart...@gmail.com wrote:
> Hello All,
>
> For integrating a payment gateway with the web server, we were using
> certificate based authentication. The gateway sends certificate to the
> web server for authentication during which we are observing the
> following error in Apache ssl logs (enabled to debug mode)
>
> [Mon Jul 21 12:35:14 2008] [info] [client 15.16.17.51] SSL library
> error 1 in handshake (serverwww.mysite.com:5403)
> [Mon Jul 21 12:35:14 2008] [info] SSL Library Error: 336151570 error:
> 14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
> Subject CN in certificate not server name or identical to CA!?
>
> The web server generated a certificate request with CN set towww.mysite.com
> and the same has been signed by an external CA. The signed certificate
> is being used as the value for SSLCertificateFile in the Apache SSL
> configuration.
>
> In the ssl.conf (Apache) the ServerName is set towww.mysite.comwhich
> is the public name for the site. This name has been added to /etc/
> hosts with IP address mapping(192.15.42.1)
>
> The hostname where Apache is running is webserv.gov.in and resolves to
> a different IP address.
>
> We are using httpd 2.2 on a CentOS platform. We are almost pulling our
> hair from last week. The payment gateway people say other clients who
> are using IIS 5.0 aren't facing any issues and only we people(Apache)
> are having this issue.
>
> Any pointers/response on this would be of really great help.
>
> Thanks & Regards,
>
> Karthik

Never came across this specifically.

I assume that the error occurs every time someone tries to connect to
https://www.mysite.com?

.....and you've checked the certificate really is for www.mysite.com
(IIRC `openssl x509 -text cert_file`)

.....and you can reproduce the error by pointing a browser at
https://www.mysite.com/

....and you've tried doing the above using iehttpheaders or Firefox
tamperdata/firebug to check for redirects

C.