Would anything in our port cause this error?
Chris
bsd-lists at bsdforge.com
Tue Dec 29 21:59:58 UTC 2020
On 2020-12-29 13:53, Chris wrote:
> On 2020-12-29 13:15, Chris wrote:
>> On 2020-12-29 11:20, Michael W. Lucas wrote:
>>> Hi,
>>>
>>> Before I build & install apache from scratch to report this bug,
>>> thought I'd see if it rang any bells here.
>>>
>>> The domain name
>>> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com has a
>>> TLS cert. I can verify it locally.
>>>
>>> $ openssl x509 -in cert.pem -noout -ext subjectAltName
>>> X509v3 Subject Alternative Name:
>>>
>>> DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com,
>>> DNS:www.montagueportal.com,
>>> DNS:www.youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com,
>>> DNS:youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com
>>>
>>> I can load it in Apache. Works fine on the other sites.
>>>
>>> $ openssl s_client -connect
>>> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com:443 |openssl
>>> x509
>>> -noout -ext subjectAltName
>>> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>>> verify return:1
>>> depth=0 CN = immortalclay.com
>>> verify return:1
>>> X509v3 Subject Alternative Name:
>>> DNS:immortalclay.com, DNS:montagueportal.com,
>>> DNS:www.immortalclay.com,
>>> DNS:www.montagueportal.com
>>>
>>> It *appears* that Apache is rejecting the overlong hostname.
>>>
>>> Does the port twiddle any related settings?
>> Hmm your asking about Apache. But only produce output from testing
>> (open)ssl.
>> I checked, and can confirm your DNS works as you indicate. What does the
>> long-host-name portion of your (apache) configs look like? IOW
>> do you have a stanza that includes something like:
>> <VirtualHost *:443>
>> ServerAdmin hostmaster
>> DocumentRoot "/usr/local/www/long-host-name"
>> ServerName long-host-name
>> ServerAlias www.long-host-name
>> ...
>> </VirtualHost>
>> This is out of my extra/hosts/host-name.conf (where host-name is the host
>> serviced by apache
>>
>> The 2 lines that seem most important are the ServerName && ServerAlias
>>
>> FWIW I can get to your indicated host. But it's serviced on port 80.
>> port 443 reports:
>> Websites prove their identity via certificates. Firefox does not trust this
>> site
>> because it uses a certificate that is not valid for
>> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com. The
>> certificate is
>> only valid for the following names: immortalclay.com, montagueportal.com,
>> www.immortalclay.com, www.montagueportal.com
>>
>> Error code: SSL_ERROR_BAD_CERT_DOMAIN
>> View Certificate
>>
> OK after pondering things a bit more... I use certbot manually to
> obtain/update
> all the certs for all my hosts/domains. It seems given the error, and your
> output
> that either 1) you're not referencing the cert with the fullchain somewhere.
> are you sure you are directing apache to the correct cert? Does apache log
> anything
> interesting?
> FWIW from certbot:
> -d DOMAIN, --domains DOMAIN, --domain DOMAIN
> Domain names to apply. For multiple domains you can
> use multiple -d flags or enter a comma separated
> list
> of domains as a parameter. The first domain provided
> will be the subject CN of the certificate, and all
> domains will be Subject Alternative Names on the
> certificate. The first domain will also be used in
> some software user interfaces and as the file paths
> for the certificate and related material unless
> otherwise specified or you already have a
> certificate
> with the same name. In the case of a name collision
> it
> will append a number like 0001 to the file path
> name.
> (default: Ask)
> Was that the case when you appended long-host-name to the (parent?)
> host/domain?
>
> Just thought I'd mention it.
> I can help you debug things from the "outside" if you want. Email me
> directly if
> your interested.
>
Sorry. Forgot to mention;
the cert *I* receive belongs to: immortalclay.com
and
Certificate Subject Alt Name
returns:
Not Critical
DNS Name: immortalclay.com
DNS Name: montagueportal.com
DNS Name: www.immortalclay.com
DNS Name: www.montagueportal.com
HTH
--Chris
>>
>>>
>>> Thanks,
>>> ==ml
>> _______________________________________________
>> freebsd-apache at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-apache
>> To unsubscribe, send any mail to "freebsd-apache-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-apache at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-apache
> To unsubscribe, send any mail to "freebsd-apache-unsubscribe at freebsd.org"
More information about the freebsd-apache
mailing list