By default, web sites are created with a ServerName of domain.com… however, 99% of the time people really use www.domain.com to access a web site…
The problem is in the SSL certificate request/generation… if I specify a CN of domain.com then I’ll get browser certificate errors because the domain (www.domain.com) in the users browser does not match the certificate (domain.com)…
However, if I generate a cert with a CN of www.domain.com then the browser warnings go away but then Apache has warnings about the CN not matching the servername…
It seems like the real solution is to use a ServerName that is www.domain.com and create a ServerAlias for domain.com, which is opposite what Interworx does…
That way, if someone goes to domain.com, they’re redirected right away to www.domain.com and if they hit a secure page, the www will already be there an no cert warning.
But the Apache warning message will still exist because the CN for the certificate is generated as www.domain.com… but the server name is domain.com…
The only solution I can see is to make the ServerName www.domain.com so it matches the CN certificate request. This way Apache doesn’t complain and the users browser doesn’t complain… as well as it doesn’t carry the expense of a redirect which will virtually always be made…
Unless there’s an obvious reason I’m missing for the ServerName being set just to domain.com vs www.domain.com I’m completely baffled why Interworx would choose to set things up this way… I mean, www.domain.com is the web server name… domain.com is the domain name and can carry ftp services, email, etc…
Anyway, the workaround is change the server name to domain.com in domain.com.conf so that you can add the SSL certficate properly and play nicely with Interworx… then switch the ServerName back to www.domain.com and bounce your web server… all works perfectly after that, and no redirect or warnings anywhere…
[SIZE=2]In domain error.log: [Thu Jun 29 12:38:26 2006] [warn] RSA server certificate CommonName (CN) `www.xxxxxxxxx.com’ does NOT match server name!?[/SIZE]
[SIZE=2][/SIZE]
[SIZE=2]This error goes away after changing ServerName to match cert CN name… which makes sense…[/SIZE]
[SIZE=2][/SIZE]
[SIZE=2]-cliff[/SIZE]
Also bit similair problem here, the panel only allows me to make cert. request for www.domain.com, but the one I want is for mail.domain.com. If a www.xxx is installed, it will still give a warning to the visitor when going to mail.xxx
From the siteworx client menu -> SSL Certs, if chosen and then “Install CA Signed Cert”, if won’t give me the option for which hostname. it will automaticly take “www.<siteworx domain>”.
Actually, it will just give me the CSR, and when that is pasted to (for instance) GeoTrust, or SBSsecure, it will read www.<domain> since that is inside the CSR.
On this issue - how does one then use the new WILDCARD certs to secure all subdomains of a given domain - should help in this scenario.
One of the alledged benefits of iworx is the ability to still hack. What I fear with reading this thread is the idiots guide to server hosting coming up which forces all operations through the finite state machine logic of the developers and that is not always what is needed in the wild.
Can one safely bypass the entire iworx cert buisness and do it by hand without problems down the track?