[PLUG] Troubleshooting SSL Configuration for SNI
Michael Rasmussen
michael at jamhome.us
Wed Nov 26 15:04:02 UTC 2014
I have three SSL enabled hosts on an Apache web server with SSL services provided by GnuTLS.
mod_ssl does not support (at least at the time I first set these up) SNI.
SSL is working properly for two of the three jamhome.us and michaelsnet.us
The third site, saunter.us, is having the jamhome.us SSL cert provided resulting in a
ERR_CERT_COMMON_NAME_INVALID
debug level logging is enabled for Apache.
When Firefox is used to access saunter.us this message is recorded:
[Wed Nov 26 06:43:50 2014] [info] GnuTLS: Fatal Alert From Client: (42) 'Certificate is bad'
(Side note: Chrome does not trigger that log message.
Certificates have been validated, a CSR decoder was used to validate the CSR I submitted for the saunter.us cert.
I've run out of troubleshooting ideas. What suggestions do you have?
Relevent portions of config files follow.
Conf file jamhome.us
<VirtualHost 173.246.104.35:443>
ServerName www.jamhome.us
ServerAlias jamhome.us
GnuTLSEnable on
GnuTLSPriorities NORMAL
GnuTLSSessionTickets on
GNUTLSExportCertificates on
GnuTLSCertificateFile /path_to/certs/certificate-49851-jamhome.crt
GnuTLSKeyFile /path_to/private/jamhome_us.key
GnuTLSClientCAFile /path_to/certs/gandi-ca-2014.crt
# other options snipped
</VirtualHost>
End of jamhome.us
Conf File michaelsnet.us
<VirtualHost 173.246.104.35:443>
ServerName www.michaelsnet.us
ServerAlias michaelsnet.us
GnuTLSEnable on
GnuTLSPriorities NORMAL
GnuTLSSessionTickets on
GNUTLSExportCertificates on
GnuTLSCertificateFile /etc/ssl/certs/certificate-49850-michaelsnet.crt
GnuTLSKeyFile /etc/ssl/private/michaelsnet_us.key
GnuTLSClientCAFile /etc/ssl/certs/gandi-ca-2014.crt
# other options snipped
</VirtualHost>
End of michaelsnet.us
Conf File saunter.us
<VirtualHost 173.246.104.35:443>
ServerName www.saunter.us
ServerAlias saunter.us
GnuTLSEnable on
GnuTLSSessionTickets on
GnuTLSPriorities NORMAL
GNUTLSExportCertificates on
GnuTLSCertificateFile /path_to/certs/certificate-100672-saunter.crt
GnuTLSKeyFile /path_to/private/saunter_us.key
GnuTLSClientCAFile /path_to/certs/gandi-ca-2014.crt
# other options snipped
</VirtualHost>
End of saunter.us
Conf File gnutls.conf
<IfModule mod_gnutls.c>
# all options commented out
</IfModule>
End of gnutls.conf
Conf File ports.conf
NameVirtualHost *:80
Listen [::]:80
Listen 0.0.0.0:80
<IfModule mod_gnutls.c>
Listen 443 https
NameVirtualHost 173.246.104.35:443
</IfModule>
End of ports.conf
--
Michael Rasmussen, Portland Oregon
Be Appropriate && Follow Your Curiosity
Objects in the calendar are closer than they appear.
~ Michael Rasmussen
More information about the PLUG
mailing list