Product Knowledge Base

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Setting up a reverse proxy

[ssl:warn] [pid xxx] AH01909: RSA certificate configured for SERVER does NOT include an ID which matches the server name

When setting up a reverse proxy with Apache, you might the following warning when looking at ssl_error_log (per default you should find this file under /var/log/httpd):

[ssl:warn] [pid xxx] AH01909: RSA certificate configured for SERVER does NOT include an ID which matches the server name

In that case, follow the instructions as described in this post (have only a look at the answer marked with a (tick)): http://serverfault.com/questions/578061/rsa-certificate-configured-for-server-does-not-include-an-id-which-matches-the-s

[ssl:warn] [pid xxx] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

When setting up a reverse proxy with Apache, you might the following warning when looking at ssl_error_log (per default you should find this file under /var/log/httpd):

[ssl:warn] [pid xxx] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

In that case, follow the instructions as described in this article: http://sysadmin.compxtreme.ro/how-to-deal-with-rsa-server-certificate-is-a-ca-certificate-basicconstraints-ca-true-problem/

httpd service can not be restarted

Configuration errors

This might happen because there is an error in the Apache configuration (either in httpd.conf, in conf.d/ssl.conf or in an extra configuration file you would include). In order to know the reason why the service could not be started, type the following command:

journalctl -xelu httpd

Missing SELinux permissions

If there is no error in your Apache configuration and the service restart throws the following error:

httpd Server not started: (13)Permission denied: make_sock: could not bind to address [::]:24445

Then you have to add the specific port you are doing the configuration for (in our case we use the port 24445 as in the example in the article JobScheduler Universal Agent - connecting via HTTPS) tot your sistem's SELinux configuration and allow this port for httpd as follows:

sudo semanage port -a -t http_port_t -p tcp 24445

List of certificated in Java Truststore

In case you created a self-signed certificate and imported this certificate into the Java Truststore of JobScheduler Master, you can use the following command the following command in order to see if the certificate was added properly to the Java Truststore and get the detailed information of the certificate:

"<path_to_java_for_job_scheduler>\bin\keytool" -list -keystore "<path_to_java_for_job_scheduler>\lib\security\cacerts" -storepass changeit

Setting Logging Level to Debug for Apache

Either in httpd.conf, in conf.d/ssl.conf or in an extra configuration file you would include in order to configure the reverse proxy,  add the following line to your configuration:

LogLevel Debug

This will activate the debug level for SSL and Proxy, which you can then find in the following logs (per default you should find this file under /var/log/httpd :

  • ssl_access_log
  • ssl_error_log
  • ssl_request_log

 

 

  • No labels