Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

RSA server certificate CommonName (CN) does NOT match server name warning in Proxy log for AM (All versions)

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if you receive a RSA® server certificate CommonName (CN) does NOT match server name warning in the Proxy log for AM. This warning occurs when SSL is in use and AM is deployed on the Apache Tomcat™ web container.


Symptoms

The following warning is shown in the Proxy log:

[Thu Feb 26 12:34:58 2015] [warn] RSA server certificate CommonName (CN) `host1.example.com' does NOT match server name!?

Recent Changes

Enabled SSL.

Made changes to your proxy configuration or server certificate.

Causes

The ServerName value in your proxy configuration does not match the CommonName (CN) on the server certificate.

Solution

This issue can be resolved by making one of the following changes:

  • Change the ServerName in your proxy configuration to match the CommonName on the server certificate. The CommonName is given in the warning message.
  • Change the CommonName of the certificate key to match the ServerName in your proxy configuration.

Virtual Hosts

Typically when you configure an http server to use SSL, you define a VirtualHost, and assign it a ServerName and a ServerAlias; ensuring the vhost ServerName matches the CommonName in the certificate.

For example:

The CommonName in the certificate = www.host1.example.com but the vhost’s ServerName is set to sso.example.com.

Change the vhost ServerName to match the certificate CommonName (www.host1.example.com) and change the ServerAlias to sso.example.com:

<VirtualHost xx.yy.zz.aa:443> ServerName www.host1.example.com ServerAlias sso.example.com </VirtualHost>

See Also

N/A

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.