Date: Tue, 29 Dec 2020 13:15:27 -0800 From: Chris <bsd-lists@bsdforge.com> To: "Michael W. Lucas" <mwlucas@michaelwlucas.com> Cc: apache@freebsd.org Subject: Re: Would anything in our port cause this error? Message-ID: <16f14184dfaab59666fe1f44d63aeeb0@bsdforge.com> In-Reply-To: <X%2BuBluclDHgryASg@mail.mwl.io> References: <X%2BuBluclDHgryASg@mail.mwl.io>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2020-12-29 11:20, Michael W. Lucas wrote: > Hi, > > Before I build & install apache from scratch to report this bug, > thought I'd see if it rang any bells here. > > The domain name > youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com has a > TLS cert. I can verify it locally. > > $ openssl x509 -in cert.pem -noout -ext subjectAltName > X509v3 Subject Alternative Name: > > DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com, > DNS:www.montagueportal.com, > DNS:www.youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com, > DNS:youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com > > I can load it in Apache. Works fine on the other sites. > > $ openssl s_client -connect > youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com:443 |openssl > x509 > -noout -ext subjectAltName > depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > verify return:1 > depth=0 CN = immortalclay.com > verify return:1 > X509v3 Subject Alternative Name: > DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com, > DNS:www.montagueportal.com > > It *appears* that Apache is rejecting the overlong hostname. > > Does the port twiddle any related settings? Hmm your asking about Apache. But only produce output from testing (open)ssl. I checked, and can confirm your DNS works as you indicate. What does the long-host-name portion of your (apache) configs look like? IOW do you have a stanza that includes something like: <VirtualHost *:443> ServerAdmin hostmaster DocumentRoot "/usr/local/www/long-host-name" ServerName long-host-name ServerAlias www.long-host-name ... </VirtualHost> This is out of my extra/hosts/host-name.conf (where host-name is the host serviced by apache The 2 lines that seem most important are the ServerName && ServerAlias FWIW I can get to your indicated host. But it's serviced on port 80. port 443 reports: Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com. The certificate is only valid for the following names: immortalclay.com, montagueportal.com, www.immortalclay.com, www.montagueportal.com Error code: SSL_ERROR_BAD_CERT_DOMAIN View Certificate HTH --Chris > > Thanks, > ==ml
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16f14184dfaab59666fe1f44d63aeeb0>