Date: Tue, 29 Dec 2020 14:00:31 -0800 From: Chris <bsd-lists@bsdforge.com> To: "Michael W. Lucas" <mwlucas@michaelwlucas.com> Cc: apache@freebsd.org Subject: Re: Would anything in our port cause this error? Message-ID: <ae40454213af199049e95833741558b4@bsdforge.com> In-Reply-To: <ae7c8c3ac1f8446e92a23c18406fa240@bsdforge.com> References: <X%2BuBluclDHgryASg@mail.mwl.io> <16f14184dfaab59666fe1f44d63aeeb0@bsdforge.com> <ae7c8c3ac1f8446e92a23c18406fa240@bsdforge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2020-12-29 13:53, Chris wrote: > On 2020-12-29 13:15, Chris wrote: >> On 2020-12-29 11:20, Michael W. Lucas wrote: >>> Hi, >>> >>> Before I build & install apache from scratch to report this bug, >>> thought I'd see if it rang any bells here. >>> >>> The domain name >>> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com has a >>> TLS cert. I can verify it locally. >>> >>> $ openssl x509 -in cert.pem -noout -ext subjectAltName >>> X509v3 Subject Alternative Name: >>> >>> DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com, >>> DNS:www.montagueportal.com, >>> DNS:www.youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com, >>> DNS:youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com >>> >>> I can load it in Apache. Works fine on the other sites. >>> >>> $ openssl s_client -connect >>> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com:443 |openssl >>> x509 >>> -noout -ext subjectAltName >>> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 >>> verify return:1 >>> depth=0 CN = immortalclay.com >>> verify return:1 >>> X509v3 Subject Alternative Name: >>> DNS:immortalclay.com, DNS:montagueportal.com, >>> DNS:www.immortalclay.com, >>> DNS:www.montagueportal.com >>> >>> It *appears* that Apache is rejecting the overlong hostname. >>> >>> Does the port twiddle any related settings? >> Hmm your asking about Apache. But only produce output from testing >> (open)ssl. >> I checked, and can confirm your DNS works as you indicate. What does the >> long-host-name portion of your (apache) configs look like? IOW >> do you have a stanza that includes something like: >> <VirtualHost *:443> >> ServerAdmin hostmaster >> DocumentRoot "/usr/local/www/long-host-name" >> ServerName long-host-name >> ServerAlias www.long-host-name >> ... >> </VirtualHost> >> This is out of my extra/hosts/host-name.conf (where host-name is the host >> serviced by apache >> >> The 2 lines that seem most important are the ServerName && ServerAlias >> >> FWIW I can get to your indicated host. But it's serviced on port 80. >> port 443 reports: >> Websites prove their identity via certificates. Firefox does not trust this >> site >> because it uses a certificate that is not valid for >> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com. The >> certificate is >> only valid for the following names: immortalclay.com, montagueportal.com, >> www.immortalclay.com, www.montagueportal.com >> >> Error code: SSL_ERROR_BAD_CERT_DOMAIN >> View Certificate >> > OK after pondering things a bit more... I use certbot manually to > obtain/update > all the certs for all my hosts/domains. It seems given the error, and your > output > that either 1) you're not referencing the cert with the fullchain somewhere. > are you sure you are directing apache to the correct cert? Does apache log > anything > interesting? > FWIW from certbot: > -d DOMAIN, --domains DOMAIN, --domain DOMAIN > Domain names to apply. For multiple domains you can > use multiple -d flags or enter a comma separated > list > of domains as a parameter. The first domain provided > will be the subject CN of the certificate, and all > domains will be Subject Alternative Names on the > certificate. The first domain will also be used in > some software user interfaces and as the file paths > for the certificate and related material unless > otherwise specified or you already have a > certificate > with the same name. In the case of a name collision > it > will append a number like 0001 to the file path > name. > (default: Ask) > Was that the case when you appended long-host-name to the (parent?) > host/domain? > > Just thought I'd mention it. > I can help you debug things from the "outside" if you want. Email me > directly if > your interested. > Sorry. Forgot to mention; the cert *I* receive belongs to: immortalclay.com and Certificate Subject Alt Name returns: Not Critical DNS Name: immortalclay.com DNS Name: montagueportal.com DNS Name: www.immortalclay.com DNS Name: www.montagueportal.com HTH --Chris >> >>> >>> Thanks, >>> ==ml >> _______________________________________________ >> freebsd-apache@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-apache >> To unsubscribe, send any mail to "freebsd-apache-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-apache@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-apache > To unsubscribe, send any mail to "freebsd-apache-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ae40454213af199049e95833741558b4>