From owner-freebsd-apache@freebsd.org Tue Dec 29 21:59:58 2020 Return-Path: Delivered-To: freebsd-apache@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6920F4CBBF3 for ; Tue, 29 Dec 2020 21:59:58 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4D57ct0388z3hMX for ; Tue, 29 Dec 2020 21:59:58 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: by mailman.nyi.freebsd.org (Postfix) id F3DB64CBDC4; Tue, 29 Dec 2020 21:59:57 +0000 (UTC) Delivered-To: apache@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F28324CBF0C for ; Tue, 29 Dec 2020 21:59:57 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ultimatedns.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D57cs5B1lz3hH1 for ; Tue, 29 Dec 2020 21:59:57 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.16.1/8.16.1) with ESMTP id 0BTM0Vvm030170; Tue, 29 Dec 2020 14:00:37 -0800 (PST) (envelope-from bsd-lists@bsdforge.com) MIME-Version: 1.0 Date: Tue, 29 Dec 2020 14:00:31 -0800 From: Chris To: "Michael W. Lucas" Cc: apache@freebsd.org Subject: Re: Would anything in our port cause this error? In-Reply-To: References: <16f14184dfaab59666fe1f44d63aeeb0@bsdforge.com> User-Agent: UDNSMS/17.0 Message-ID: X-Sender: bsd-lists@bsdforge.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4D57cs5B1lz3hH1 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:11404, ipnet:24.113.0.0/16, country:US]; local_wl_ip(0.00)[24.113.41.81] X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Dec 2020 21:59:58 -0000 On 2020-12-29 13:53, Chris wrote: > On 2020-12-29 13:15, Chris wrote: >> On 2020-12-29 11:20, Michael W. Lucas wrote: >>> Hi, >>> >>> Before I build & install apache from scratch to report this bug, >>> thought I'd see if it rang any bells here. >>> >>> The domain name >>> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com has a >>> TLS cert. I can verify it locally. >>> >>> $ openssl x509 -in cert.pem -noout -ext subjectAltName >>> X509v3 Subject Alternative Name: >>> >>> DNS:immortalclay.com, DNS:montagueportal.com, DNS:www.immortalclay.com, >>> DNS:www.montagueportal.com, >>> DNS:www.youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com, >>> DNS:youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com >>> >>> I can load it in Apache. Works fine on the other sites. >>> >>> $ openssl s_client -connect >>> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com:443 |openssl >>> x509 >>> -noout -ext subjectAltName >>> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 >>> verify return:1 >>> depth=0 CN = immortalclay.com >>> verify return:1 >>> X509v3 Subject Alternative Name: >>> DNS:immortalclay.com, DNS:montagueportal.com, >>> DNS:www.immortalclay.com, >>> DNS:www.montagueportal.com >>> >>> It *appears* that Apache is rejecting the overlong hostname. >>> >>> Does the port twiddle any related settings? >> Hmm your asking about Apache. But only produce output from testing >> (open)ssl. >> I checked, and can confirm your DNS works as you indicate. What does the >> long-host-name portion of your (apache) configs look like? IOW >> do you have a stanza that includes something like: >> >> ServerAdmin hostmaster >> DocumentRoot "/usr/local/www/long-host-name" >> ServerName long-host-name >> ServerAlias www.long-host-name >> ... >> >> This is out of my extra/hosts/host-name.conf (where host-name is the host >> serviced by apache >> >> The 2 lines that seem most important are the ServerName && ServerAlias >> >> FWIW I can get to your indicated host. But it's serviced on port 80. >> port 443 reports: >> Websites prove their identity via certificates. Firefox does not trust this >> site >> because it uses a certificate that is not valid for >> youkeepusingthatwordidonotthinkitmeanswhatyouthinkitmeans.com. The >> certificate is >> only valid for the following names: immortalclay.com, montagueportal.com, >> www.immortalclay.com, www.montagueportal.com >> >> Error code: SSL_ERROR_BAD_CERT_DOMAIN >> View Certificate >> > OK after pondering things a bit more... I use certbot manually to > obtain/update > all the certs for all my hosts/domains. It seems given the error, and your > output > that either 1) you're not referencing the cert with the fullchain somewhere. > are you sure you are directing apache to the correct cert? Does apache log > anything > interesting? > FWIW from certbot: > -d DOMAIN, --domains DOMAIN, --domain DOMAIN > Domain names to apply. For multiple domains you can > use multiple -d flags or enter a comma separated > list > of domains as a parameter. The first domain provided > will be the subject CN of the certificate, and all > domains will be Subject Alternative Names on the > certificate. The first domain will also be used in > some software user interfaces and as the file paths > for the certificate and related material unless > otherwise specified or you already have a > certificate > with the same name. In the case of a name collision > it > will append a number like 0001 to the file path > name. > (default: Ask) > Was that the case when you appended long-host-name to the (parent?) > host/domain? > > Just thought I'd mention it. > I can help you debug things from the "outside" if you want. Email me > directly if > your interested. > Sorry. Forgot to mention; the cert *I* receive belongs to: immortalclay.com and Certificate Subject Alt Name returns: Not Critical DNS Name: immortalclay.com DNS Name: montagueportal.com DNS Name: www.immortalclay.com DNS Name: www.montagueportal.com HTH --Chris >> >>> >>> Thanks, >>> ==ml >> _______________________________________________ >> freebsd-apache@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-apache >> To unsubscribe, send any mail to "freebsd-apache-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-apache@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-apache > To unsubscribe, send any mail to "freebsd-apache-unsubscribe@freebsd.org"