# Fresh Install - Apache ssl not working (SOLVED)

## JC99

Hello everyone,

I just did a fresh install of Gentoo and Apache2. When I navigate to my site (http://jasoncarson.ca) everything works, but when I go to my ssl enabled site (https://jasoncarson.ca) Firefox gives me the following error message.

 *Quote:*   

> An error occurred during a connection to jasoncarson.ca.
> 
> Peer's certificate has an invalid signature.
> 
> (Error code: sec_error_bad_signature)
> ...

 

I can't access it in Firefox or IE. I haven't tried other browsers.

Anyone know how to fix this?Last edited by JC99 on Sun Jan 03, 2010 9:55 pm; edited 3 times in total

----------

## Mad Merlin

It's probably because you get a self signed SSL certificate by default, which newer versions of Firefox and IE particularly dislike. Normally they give you the option to continue anyways, but for some reason I'm getting the same thing you're seeing in Firefox (with no option to continue anyways). Konqueror lets me continue anyways though.

----------

## JC99

I checked Apache's ssl_error_log and it says the following...

 *Quote:*   

> [Sat Jan 02 17:46:32 2010] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?

 

...so I guess I have to create a new certificate so that CommonName is the same has server name? Anyone know if this is the correct thing to do?

----------

## cach0rr0

that one's just a warning, not an error - but you would correct it by generating a new cert, yes; thing to do is

-make sure the cert matches the domain/host you intend to serve

-ideally, add a ServerName directive to /etc/apache2/modules.d/00_default_settings.conf that matches your hostname

truth is so long as you're using a self-signed certificate, users WILL get SSL errors in their browser unless they mark your certificate as trusted, no matter how correctly you set the Common Name and so forth. 

I personally use certs from cacert.org, and have a main landing page that instructs users on how to install CACert's root certificate (which then allows my certs to be trusted) 

Some browsers will ignore this (e.g. IE and Chrome). Firefox has no issue with this, thankfully. 

Anyway, yes, regenerate the cert, add the ServerName directive, and you'll be *as close to* correct functionally as you can be with a self-signed cert

----------

## JC99

Thanks for your help. I created my own certificate. Here is what I did.

Go to /etc/ssl/apache2/ then run the following commands...

```
openssl genrsa -out server.key 1024

openssl rsa -in server.key -out server.pem

openssl req -new -key server.key -out server.csr

```

After I ran that third command I was promted to enter some info. Make sure "Common Name" is your domain. Next run this final command

```
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
```

...and everything should work. It did for me.

----------

