Would anything in our port cause this error?
Chris
bsd-lists at bsdforge.com
Tue Dec 29 21:53:04 UTC 2020
On 2020-12-29 13:15, Chris wrote:
> On 2020-12-29 11:20, Michael W. Lucas wrote:
>> Hi,
>>
>> Before I build & install apache from scratch to report this bug,
>> thought I'd see if it rang any bells here.
>>
>> The domain name
>> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com has a
>> TLS cert. I can verify it locally.
>>
>> $ openssl x509 -in cert.pem -noout -ext subjectAltName
>> X509v3 Subject Alternative Name:
>>
>> DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com,
>> DNS:www.montagueportal.com,
>> DNS:www.youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com,
>> DNS:youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com
>>
>> I can load it in Apache. Works fine on the other sites.
>>
>> $ openssl s_client -connect
>> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com:443 |openssl
>> x509
>> -noout -ext subjectAltName
>> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>> verify return:1
>> depth=0 CN = immortalclay.com
>> verify return:1
>> X509v3 Subject Alternative Name:
>> DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com,
>> DNS:www.montagueportal.com
>>
>> It *appears* that Apache is rejecting the overlong hostname.
>>
>> Does the port twiddle any related settings?
> Hmm your asking about Apache. But only produce output from testing
> (open)ssl.
> I checked, and can confirm your DNS works as you indicate. What does the
> long-host-name portion of your (apache) configs look like? IOW
> do you have a stanza that includes something like:
> <VirtualHost *:443>
> ServerAdmin hostmaster
> DocumentRoot "/usr/local/www/long-host-name"
> ServerName long-host-name
> ServerAlias www.long-host-name
> ...
> </VirtualHost>
> This is out of my extra/hosts/host-name.conf (where host-name is the host
> serviced by apache
>
> The 2 lines that seem most important are the ServerName && ServerAlias
>
> FWIW I can get to your indicated host. But it's serviced on port 80.
> port 443 reports:
> Websites prove their identity via certificates. Firefox does not trust this
> site
> because it uses a certificate that is not valid for
> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com. The
> certificate is
> only valid for the following names: immortalclay.com, montagueportal.com,
> www.immortalclay.com, www.montagueportal.com
>
> Error code: SSL_ERROR_BAD_CERT_DOMAIN
> View Certificate
>
OK after pondering things a bit more... I use certbot manually to
obtain/update
all the certs for all my hosts/domains. It seems given the error, and your
output
that either 1) you're not referencing the cert with the fullchain somewhere.
are you sure you are directing apache to the correct cert? Does apache log
anything
interesting?
FWIW from certbot:
-d DOMAIN, --domains DOMAIN, --domain DOMAIN
Domain names to apply. For multiple domains you can
use multiple -d flags or enter a comma separated list
of domains as a parameter. The first domain provided
will be the subject CN of the certificate, and all
domains will be Subject Alternative Names on the
certificate. The first domain will also be used in
some software user interfaces and as the file paths
for the certificate and related material unless
otherwise specified or you already have a certificate
with the same name. In the case of a name collision
it
will append a number like 0001 to the file path name.
(default: Ask)
Was that the case when you appended long-host-name to the (parent?)
host/domain?
Just thought I'd mention it.
I can help you debug things from the "outside" if you want. Email me directly
if
your interested.
--Chris
>
>>
>> Thanks,
>> ==ml
> _______________________________________________
> freebsd-apache at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-apache
> To unsubscribe, send any mail to "freebsd-apache-unsubscribe at freebsd.org"
More information about the freebsd-apache
mailing list