Would anything in our port cause this error?

Chris bsd-lists at bsdforge.com
Tue Dec 29 21:59:58 UTC 2020 

On 2020-12-29 13:53, Chris wrote:
> On 2020-12-29 13:15, Chris wrote:
>> On 2020-12-29 11:20, Michael W. Lucas wrote:
>>> Hi,
>>> 
>>> Before I build & install apache from scratch to report this bug,
>>> thought I'd see if it rang any bells here.
>>> 
>>> The domain name
>>> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com has a
>>> TLS cert. I can verify it locally.
>>> 
>>> $ openssl x509 -in cert.pem -noout -ext subjectAltName
>>> X509v3 Subject Alternative Name:
>>> 
>>> DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com,
>>> DNS:www.montagueportal.com,
>>> DNS:www.youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com,
>>> DNS:youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com
>>> 
>>> I can load it in Apache. Works fine on the other sites.
>>> 
>>> $ openssl s_client -connect
>>> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com:443 |openssl 
>>> x509
>>> -noout -ext subjectAltName
>>> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>>> verify return:1
>>> depth=0 CN = immortalclay.com
>>> verify return:1
>>> X509v3 Subject Alternative Name:
>>>     DNS:immortalclay.com, DNS:montagueportal.com, 
>>> DNS:www.immortalclay.com,
>>> DNS:www.montagueportal.com
>>> 
>>> It *appears* that Apache is rejecting the overlong hostname.
>>> 
>>> Does the port twiddle any related settings?
>> Hmm your asking about Apache. But only produce output from testing 
>> (open)ssl.
>> I checked, and can confirm your DNS works as you indicate. What does the
>> long-host-name portion of your (apache) configs look like? IOW
>> do you have a stanza that includes something like:
>> <VirtualHost *:443>
>>     ServerAdmin hostmaster
>>     DocumentRoot "/usr/local/www/long-host-name"
>>     ServerName long-host-name
>>     ServerAlias www.long-host-name
>> ...
>> </VirtualHost>
>> This is out of my extra/hosts/host-name.conf (where host-name is the host
>> serviced by apache
>> 
>> The 2 lines that seem most important are the ServerName && ServerAlias
>> 
>> FWIW I can get to your indicated host. But it's serviced on port 80.
>> port 443 reports:
>> Websites prove their identity via certificates. Firefox does not trust this 
>> site
>> because it uses a certificate that is not valid for
>> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com. The 
>> certificate is
>> only valid for the following names: immortalclay.com, montagueportal.com,
>> www.immortalclay.com, www.montagueportal.com
>> 
>> Error code: SSL_ERROR_BAD_CERT_DOMAIN
>> View Certificate
>> 
> OK after pondering things a bit more... I use certbot manually to 
> obtain/update
> all the certs for all my hosts/domains. It seems given the error, and your 
> output
> that either 1) you're not referencing the cert with the fullchain somewhere.
> are you sure you are directing apache to the correct cert? Does apache log 
> anything
> interesting?
> FWIW from certbot:
>   -d DOMAIN, --domains DOMAIN, --domain DOMAIN
>                         Domain names to apply. For multiple domains you can
>                         use multiple -d flags or enter a comma separated 
> list
>                         of domains as a parameter. The first domain provided
>                         will be the subject CN of the certificate, and all
>                         domains will be Subject Alternative Names on the
>                         certificate. The first domain will also be used in
>                         some software user interfaces and as the file paths
>                         for the certificate and related material unless
>                         otherwise specified or you already have a 
> certificate
>                         with the same name. In the case of a name collision 
> it
>                         will append a number like 0001 to the file path 
> name.
>                         (default: Ask)
> Was that the case when you appended long-host-name to the (parent?) 
> host/domain?
> 
> Just thought I'd mention it.
> I can help you debug things from the "outside" if you want. Email me 
> directly if
> your interested.
> 
Sorry. Forgot to mention;
the cert *I* receive belongs to: immortalclay.com
and
Certificate Subject Alt Name
returns:
Not Critical
DNS Name: immortalclay.com
DNS Name: montagueportal.com
DNS Name: www.immortalclay.com
DNS Name: www.montagueportal.com

HTH

--Chris
>> 
>>> 
>>> Thanks,
>>> ==ml
>> _______________________________________________
>> freebsd-apache at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-apache
>> To unsubscribe, send any mail to "freebsd-apache-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-apache at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-apache
> To unsubscribe, send any mail to "freebsd-apache-unsubscribe at freebsd.org"

More information about the freebsd-apache mailing list