Topic: Startssl_Server Name Issue

[imcintyre]

I am trying to get a proper commercial certificate installed on my server.
Before I spend the money, there is a concern I have.

As a trial I got a free cert from startssl, followed example in wiki and all appeared good.
However I'm concerned re the difference between server name (myserver.mydomain.ca) and ssl cert (mydomain.ca).

For free cert Startssl allows only domain name (mydomain.com) not myserver.mydomain.com and one subdomain, e.g. mail.mydomain.com.

When I installted as per wiki, https access error messages stopped. I also was able to configure for mail and stop those access error messages. However with only one subdomain it was an "either or" proposition.

http://forums.contribs.org/index.php/topic,47845.0.html

 
However, when I did this command the result is not encouraging.

echo GET | openssl s_client -connect server.tld:443
gethostbyname failure
connect:errno=0

I've googled re error but could not find anything that was useful to me.

Is there a reason to be concerned?
thx in advance.

[CharlieBrady]

However, when I did this command the result is not encouraging.

 echo GET | openssl s_client -connect server.tld:443
 gethostbyname failure
 connect:errno=0

Maybe because server.tld is not a valid domain name. Unless maybe you are using that in place of your real domain name, in which case it may be because you do not have a valid A record for your domain in your DNS.

Please don't obfuscate domains names when reporting problems. It just makes it hard for people to help you adequately.

[imcintyre]

Thx for reply.

If only I could claim to be obsfucating on purpose, obviously I'm some combination of too thick and too tired, regarding server.tld.

That being said, I had this error in my httpd error log and started looking around for an issue.

[Wed Aug 24 21:56:19 2011] [warn] RSA server certificate CommonName (CN) `www.mcintyres.ca' does NOT match server name!?

This was the last apparent time it occurred so maybe it was while installing the cert.

When I run the prior command properly, amongst many other things, I get the following result;

echo GET | openssl s_client -connect mcintyres.ca:443                           CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom                     Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/description=489824-0x6wEK7Y64ab3lBl/CN=www.mcintyres.ca/emailAddress=postm                    aster@mcintyres.ca
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Cla                    ss 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Cla                    ss 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Cer                    tification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Cer                    tification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Cer                    tification Authority
---

Why should there be verify error "self signed certificate in chain"?
What else do you need to see to help?

[CharlieBrady]

Why should there be verify error "self signed certificate in chain"?

Ask startssl.