Would anything in our port cause this error?

Chris bsd-lists at bsdforge.com
Tue Dec 29 21:14:56 UTC 2020 

On 2020-12-29 11:20, Michael W. Lucas wrote:
> Hi,
> 
> Before I build & install apache from scratch to report this bug,
> thought I'd see if it rang any bells here.
> 
> The domain name
> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com has a
> TLS cert. I can verify it locally.
> 
> $ openssl x509 -in cert.pem -noout -ext subjectAltName
> X509v3 Subject Alternative Name:
> 
> DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com,
> DNS:www.montagueportal.com,
> DNS:www.youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com,
> DNS:youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com
> 
> I can load it in Apache. Works fine on the other sites.
> 
> $ openssl s_client -connect
> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com:443 |openssl 
> x509
> -noout -ext subjectAltName
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = immortalclay.com
> verify return:1
> X509v3 Subject Alternative Name:
>     DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com,
> DNS:www.montagueportal.com
> 
> It *appears* that Apache is rejecting the overlong hostname.
> 
> Does the port twiddle any related settings?
Hmm your asking about Apache. But only produce output from testing (open)ssl.
I checked, and can confirm your DNS works as you indicate. What does the
long-host-name portion of your (apache) configs look like? IOW
do you have a stanza that includes something like:
<VirtualHost *:443>
     ServerAdmin hostmaster
     DocumentRoot "/usr/local/www/long-host-name"
     ServerName long-host-name
     ServerAlias www.long-host-name
...
</VirtualHost>
This is out of my extra/hosts/host-name.conf (where host-name is the host
serviced by apache

The 2 lines that seem most important are the ServerName && ServerAlias

FWIW I can get to your indicated host. But it's serviced on port 80.
port 443 reports:
Websites prove their identity via certificates. Firefox does not trust this 
site because it uses a certificate that is not valid for 
youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com. The 
certificate is only valid for the following names: immortalclay.com, 
montagueportal.com, www.immortalclay.com, www.montagueportal.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN
View Certificate

HTH

--Chris

> 
> Thanks,
> ==ml

More information about the freebsd-apache mailing list