From owner-freebsd-apache@freebsd.org  Tue Dec 29 21:14:56 2020
Return-Path: <owner-freebsd-apache@freebsd.org>
Delivered-To: freebsd-apache@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 35CD14CB4AA
 for <freebsd-apache@mailman.nyi.freebsd.org>;
 Tue, 29 Dec 2020 21:14:56 +0000 (UTC)
 (envelope-from bsd-lists@bsdforge.com)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 4D56cv642sz3QBP
 for <freebsd-apache@freebsd.org>; Tue, 29 Dec 2020 21:14:55 +0000 (UTC)
 (envelope-from bsd-lists@bsdforge.com)
Received: by mailman.nyi.freebsd.org (Postfix)
 id CE5E64CB68D; Tue, 29 Dec 2020 21:14:55 +0000 (UTC)
Delivered-To: apache@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id CE1BE4CB44A
 for <apache@mailman.nyi.freebsd.org>; Tue, 29 Dec 2020 21:14:55 +0000 (UTC)
 (envelope-from bsd-lists@bsdforge.com)
Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com
 [24.113.41.81])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "ultimatedns.net",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4D56cv4K9Nz3Q9N
 for <apache@freebsd.org>; Tue, 29 Dec 2020 21:14:55 +0000 (UTC)
 (envelope-from bsd-lists@bsdforge.com)
Received: from ultimatedns.net (localhost [127.0.0.1])
 by udns.ultimatedns.net (8.16.1/8.16.1) with ESMTP id 0BTLFRQa094857;
 Tue, 29 Dec 2020 13:15:33 -0800 (PST)
 (envelope-from bsd-lists@bsdforge.com)
MIME-Version: 1.0
Date: Tue, 29 Dec 2020 13:15:27 -0800
From: Chris <bsd-lists@bsdforge.com>
To: "Michael W. Lucas" <mwlucas@michaelwlucas.com>
Cc: apache@freebsd.org
Subject: Re: Would anything in our port cause this error?
In-Reply-To: <X+uBluclDHgryASg@mail.mwl.io>
References: <X+uBluclDHgryASg@mail.mwl.io>
User-Agent: UDNSMS/17.0
Message-ID: <16f14184dfaab59666fe1f44d63aeeb0@bsdforge.com>
X-Sender: bsd-lists@bsdforge.com
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4D56cv4K9Nz3Q9N
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-BeenThere: freebsd-apache@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Support of apache-related ports  <freebsd-apache.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-apache>, 
 <mailto:freebsd-apache-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-apache/>
List-Post: <mailto:freebsd-apache@freebsd.org>
List-Help: <mailto:freebsd-apache-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-apache>,
 <mailto:freebsd-apache-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Dec 2020 21:14:56 -0000

On 2020-12-29 11:20, Michael W. Lucas wrote:
> Hi,
> 
> Before I build & install apache from scratch to report this bug,
> thought I'd see if it rang any bells here.
> 
> The domain name
> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com has a
> TLS cert. I can verify it locally.
> 
> $ openssl x509 -in cert.pem -noout -ext subjectAltName
> X509v3 Subject Alternative Name:
> 
> DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com,
> DNS:www.montagueportal.com,
> DNS:www.youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com,
> DNS:youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com
> 
> I can load it in Apache. Works fine on the other sites.
> 
> $ openssl s_client -connect
> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com:443 |openssl 
> x509
> -noout -ext subjectAltName
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = immortalclay.com
> verify return:1
> X509v3 Subject Alternative Name:
>     DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com,
> DNS:www.montagueportal.com
> 
> It *appears* that Apache is rejecting the overlong hostname.
> 
> Does the port twiddle any related settings?
Hmm your asking about Apache. But only produce output from testing (open)ssl.
I checked, and can confirm your DNS works as you indicate. What does the
long-host-name portion of your (apache) configs look like? IOW
do you have a stanza that includes something like:
<VirtualHost *:443>
     ServerAdmin hostmaster
     DocumentRoot "/usr/local/www/long-host-name"
     ServerName long-host-name
     ServerAlias www.long-host-name
...
</VirtualHost>
This is out of my extra/hosts/host-name.conf (where host-name is the host
serviced by apache

The 2 lines that seem most important are the ServerName && ServerAlias

FWIW I can get to your indicated host. But it's serviced on port 80.
port 443 reports:
Websites prove their identity via certificates. Firefox does not trust this 
site because it uses a certificate that is not valid for 
youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com. The 
certificate is only valid for the following names: immortalclay.com, 
montagueportal.com, www.immortalclay.com, www.montagueportal.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN
View Certificate

HTH

--Chris

> 
> Thanks,
> ==ml