Date: Tue, 29 Dec 2020 13:53:35 -0800 From: Chris <bsd-lists@bsdforge.com> To: "Michael W. Lucas" <mwlucas@michaelwlucas.com> Cc: apache@freebsd.org Subject: Re: Would anything in our port cause this error? Message-ID: <ae7c8c3ac1f8446e92a23c18406fa240@bsdforge.com> In-Reply-To: <16f14184dfaab59666fe1f44d63aeeb0@bsdforge.com> References: <X%2BuBluclDHgryASg@mail.mwl.io> <16f14184dfaab59666fe1f44d63aeeb0@bsdforge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2020-12-29 13:15, Chris wrote: > On 2020-12-29 11:20, Michael W. Lucas wrote: >> Hi, >> >> Before I build & install apache from scratch to report this bug, >> thought I'd see if it rang any bells here. >> >> The domain name >> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com has a >> TLS cert. I can verify it locally. >> >> $ openssl x509 -in cert.pem -noout -ext subjectAltName >> X509v3 Subject Alternative Name: >> >> DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com, >> DNS:www.montagueportal.com, >> DNS:www.youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com, >> DNS:youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com >> >> I can load it in Apache. Works fine on the other sites. >> >> $ openssl s_client -connect >> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com:443 |openssl >> x509 >> -noout -ext subjectAltName >> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 >> verify return:1 >> depth=0 CN = immortalclay.com >> verify return:1 >> X509v3 Subject Alternative Name: >> DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com, >> DNS:www.montagueportal.com >> >> It *appears* that Apache is rejecting the overlong hostname. >> >> Does the port twiddle any related settings? > Hmm your asking about Apache. But only produce output from testing > (open)ssl. > I checked, and can confirm your DNS works as you indicate. What does the > long-host-name portion of your (apache) configs look like? IOW > do you have a stanza that includes something like: > <VirtualHost *:443> > ServerAdmin hostmaster > DocumentRoot "/usr/local/www/long-host-name" > ServerName long-host-name > ServerAlias www.long-host-name > ... > </VirtualHost> > This is out of my extra/hosts/host-name.conf (where host-name is the host > serviced by apache > > The 2 lines that seem most important are the ServerName && ServerAlias > > FWIW I can get to your indicated host. But it's serviced on port 80. > port 443 reports: > Websites prove their identity via certificates. Firefox does not trust this > site > because it uses a certificate that is not valid for > youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com. The > certificate is > only valid for the following names: immortalclay.com, montagueportal.com, > www.immortalclay.com, www.montagueportal.com > > Error code: SSL_ERROR_BAD_CERT_DOMAIN > View Certificate > OK after pondering things a bit more... I use certbot manually to obtain/update all the certs for all my hosts/domains. It seems given the error, and your output that either 1) you're not referencing the cert with the fullchain somewhere. are you sure you are directing apache to the correct cert? Does apache log anything interesting? FWIW from certbot: -d DOMAIN, --domains DOMAIN, --domain DOMAIN Domain names to apply. For multiple domains you can use multiple -d flags or enter a comma separated list of domains as a parameter. The first domain provided will be the subject CN of the certificate, and all domains will be Subject Alternative Names on the certificate. The first domain will also be used in some software user interfaces and as the file paths for the certificate and related material unless otherwise specified or you already have a certificate with the same name. In the case of a name collision it will append a number like 0001 to the file path name. (default: Ask) Was that the case when you appended long-host-name to the (parent?) host/domain? Just thought I'd mention it. I can help you debug things from the "outside" if you want. Email me directly if your interested. --Chris > >> >> Thanks, >> ==ml > _______________________________________________ > freebsd-apache@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-apache > To unsubscribe, send any mail to "freebsd-apache-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ae7c8c3ac1f8446e92a23c18406fa240>