From owner-freebsd-apache@freebsd.org Tue Dec 29 21:53:04 2020 Return-Path: Delivered-To: freebsd-apache@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1E5B94CB971 for ; Tue, 29 Dec 2020 21:53:04 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4D57Sv2f9vz3hTs for ; Tue, 29 Dec 2020 21:53:03 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: by mailman.nyi.freebsd.org (Postfix) id 58C394CBC1F; Tue, 29 Dec 2020 21:53:03 +0000 (UTC) Delivered-To: apache@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 576514CB970 for ; Tue, 29 Dec 2020 21:53:03 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ultimatedns.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D57St5nwYz3hMG for ; Tue, 29 Dec 2020 21:53:02 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.16.1/8.16.1) with ESMTP id 0BTLrZkW003122; Tue, 29 Dec 2020 13:53:41 -0800 (PST) (envelope-from bsd-lists@bsdforge.com) MIME-Version: 1.0 Date: Tue, 29 Dec 2020 13:53:35 -0800 From: Chris To: "Michael W. Lucas" Cc: apache@freebsd.org Subject: Re: Would anything in our port cause this error? In-Reply-To: <16f14184dfaab59666fe1f44d63aeeb0@bsdforge.com> References: <16f14184dfaab59666fe1f44d63aeeb0@bsdforge.com> User-Agent: UDNSMS/17.0 Message-ID: X-Sender: bsd-lists@bsdforge.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4D57St5nwYz3hMG X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:11404, ipnet:24.113.0.0/16, country:US]; local_wl_ip(0.00)[24.113.41.81] X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Dec 2020 21:53:04 -0000 On 2020-12-29 13:15, Chris wrote: > On 2020-12-29 11:20, Michael W. Lucas wrote: >> Hi, >> >> Before I build & install apache from scratch to report this bug, >> thought I'd see if it rang any bells here. >> >> The domain name >> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com has a >> TLS cert. I can verify it locally. >> >> $ openssl x509 -in cert.pem -noout -ext subjectAltName >> X509v3 Subject Alternative Name: >> >> DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com, >> DNS:www.montagueportal.com, >> DNS:www.youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com, >> DNS:youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com >> >> I can load it in Apache. Works fine on the other sites. >> >> $ openssl s_client -connect >> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com:443 |openssl >> x509 >> -noout -ext subjectAltName >> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 >> verify return:1 >> depth=0 CN = immortalclay.com >> verify return:1 >> X509v3 Subject Alternative Name: >> DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com, >> DNS:www.montagueportal.com >> >> It *appears* that Apache is rejecting the overlong hostname. >> >> Does the port twiddle any related settings? > Hmm your asking about Apache. But only produce output from testing > (open)ssl. > I checked, and can confirm your DNS works as you indicate. What does the > long-host-name portion of your (apache) configs look like? IOW > do you have a stanza that includes something like: > > ServerAdmin hostmaster > DocumentRoot "/usr/local/www/long-host-name" > ServerName long-host-name > ServerAlias www.long-host-name > ... > > This is out of my extra/hosts/host-name.conf (where host-name is the host > serviced by apache > > The 2 lines that seem most important are the ServerName && ServerAlias > > FWIW I can get to your indicated host. But it's serviced on port 80. > port 443 reports: > Websites prove their identity via certificates. Firefox does not trust this > site > because it uses a certificate that is not valid for > youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com. The > certificate is > only valid for the following names: immortalclay.com, montagueportal.com, > www.immortalclay.com, www.montagueportal.com > > Error code: SSL_ERROR_BAD_CERT_DOMAIN > View Certificate > OK after pondering things a bit more... I use certbot manually to obtain/update all the certs for all my hosts/domains. It seems given the error, and your output that either 1) you're not referencing the cert with the fullchain somewhere. are you sure you are directing apache to the correct cert? Does apache log anything interesting? FWIW from certbot: -d DOMAIN, --domains DOMAIN, --domain DOMAIN Domain names to apply. For multiple domains you can use multiple -d flags or enter a comma separated list of domains as a parameter. The first domain provided will be the subject CN of the certificate, and all domains will be Subject Alternative Names on the certificate. The first domain will also be used in some software user interfaces and as the file paths for the certificate and related material unless otherwise specified or you already have a certificate with the same name. In the case of a name collision it will append a number like 0001 to the file path name. (default: Ask) Was that the case when you appended long-host-name to the (parent?) host/domain? Just thought I'd mention it. I can help you debug things from the "outside" if you want. Email me directly if your interested. --Chris > >> >> Thanks, >> ==ml > _______________________________________________ > freebsd-apache@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-apache > To unsubscribe, send any mail to "freebsd-apache-unsubscribe@freebsd.org"