How to Fix “RSA Certificate Does Not Include Matching Server Name” Error in Apache SSL Configuration


2 views

When configuring SSL certificates in Apache, one of the most common errors developers encounter is the server name mismatch warning:

[ssl:warn] AH01909: RSA certificate configured for ec2-XX-XXX-XXX-XX.compute-1.amazonaws.com:443 
does NOT include an ID which matches the server name

This occurs when the Subject Alternative Names (SANs) or Common Name (CN) in your SSL certificate doesn't match the server name Apache is configured to use.

Modern browsers enforce strict certificate validation:

  • The certificate must include the exact domain name being accessed
  • Wildcards only cover one subdomain level (*.example.com won't cover a.b.example.com)
  • IP addresses must be explicitly listed in SANs

Here's a proper SSL configuration for Apache (httpd.conf or ssl.conf):

<VirtualHost *:443>
    ServerName dcturano.com
    ServerAlias www.dcturano.com
    
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/dcturano.crt
    SSLCertificateKeyFile /etc/ssl/private/dcturano.key
    SSLCertificateChainFile /etc/ssl/certs/dcturano-chain.crt
    
    # For HTTP/2 support
    Protocols h2 http/1.1
    
    # Modern SSL configuration
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder on
</VirtualHost>

When creating your certificate signing request, ensure it includes all necessary SANs:

openssl req -new -newkey rsa:2048 -nodes -keyout dcturano.key \
    -out dcturano.csr -subj "/CN=dcturano.com" \
    -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
    <(printf "[SAN]\nsubjectAltName=DNS:dcturano.com,DNS:www.dcturano.com"))

Use these commands to verify your configuration:

# Check Apache configuration
apachectl configtest

# Verify certificate contents
openssl x509 -in /etc/ssl/certs/dcturano.crt -text -noout

# Check SSL handshake
openssl s_client -connect dcturano.com:443 -servername dcturano.com

On AWS EC2 specifically:

  • Avoid using the EC2 public DNS name in your certificate
  • Route 53 aliases must resolve to the same endpoint
  • ELB/ALB requires the certificate to be uploaded to AWS Certificate Manager

After fixing the SSL issue, update WordPress configuration:

define('WP_HOME','https://dcturano.com');
define('WP_SITEURL','https://dcturano.com');

And in your database:

UPDATE wp_options SET option_value = 'https://dcturano.com' 
WHERE option_name IN ('siteurl', 'home');

When configuring SSL/TLS certificates in Apache, one of the most common validation errors occurs when the certificate's Subject Alternative Name (SAN) or Common Name (CN) doesn't match the server's hostname. The error manifests like this in Apache logs:

[ssl:warn] AH01909: RSA certificate configured for ec2-XX-XXX-XXX-XX.compute-1.amazonaws.com:443 
does NOT include an ID which matches the server name

Modern browsers and SSL clients perform strict hostname verification against these certificate fields:

  • Common Name (CN) in the Subject field (legacy)
  • Subject Alternative Name (SAN) extensions (modern standard)

For a certificate to be considered valid for example.com, either:

Subject: CN = example.com

OR

X509v3 Subject Alternative Name: 
    DNS:example.com, 
    DNS:www.example.com

To verify your certificate's actual names:

openssl x509 -in /path/to/certificate.crt -text -noout | grep -E "Subject:|DNS:"

Common mismatch scenarios include:

  • Using EC2 public DNS name instead of custom domain
  • Certificate issued for www.domain.com but accessing domain.com
  • Wildcard certificate not properly configured (*.domain.com)

Here's a proper virtual host configuration for dcturano.com:

<VirtualHost *:443>
    ServerName dcturano.com
    ServerAlias www.dcturano.com
    
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/dcturano.crt
    SSLCertificateKeyFile /etc/ssl/private/dcturano.key
    SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
    
    # HSTS and modern security headers
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    
    # Your WordPress configuration
    DocumentRoot /var/www/html
    <Directory /var/www/html>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

If your current certificate lacks the proper SAN entries, you'll need to:

  1. Generate a new CSR with correct SAN fields
  2. Submit to your CA for reissuance
  3. Use this OpenSSL config for CSR generation:
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[dn]
CN = dcturano.com

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = dcturano.com
DNS.2 = www.dcturano.com

After making changes, verify with:

apachectl configtest
openssl s_client -connect dcturano.com:443 -servername dcturano.com | openssl x509 -noout -text

For WordPress specifically, ensure your wp-config.php contains:

define('FORCE_SSL_ADMIN', true);
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
    $_SERVER['HTTPS'] = 'on';