[PLUG] Troubleshooting SSL Configuration for SNI

Michael Rasmussen michael at jamhome.us
Wed Nov 26 15:04:02 UTC 2014 

I have three SSL enabled hosts on an Apache web server with SSL services provided by GnuTLS.

mod_ssl does not support (at least at the time I first set these up) SNI.

SSL is working properly for two of the three jamhome.us and michaelsnet.us
The third site, saunter.us, is having the jamhome.us SSL cert provided resulting in a
ERR_CERT_COMMON_NAME_INVALID

debug level logging is enabled for Apache.

When Firefox is used to access saunter.us this message is recorded:
  [Wed Nov 26 06:43:50 2014] [info] GnuTLS: Fatal Alert From Client: (42) 'Certificate is bad'

(Side note: Chrome does not trigger that log message.

Certificates have been validated, a CSR decoder was used to validate the CSR I submitted for the saunter.us cert.

I've run out of troubleshooting ideas.   What suggestions do you have?

Relevent portions of config files follow.

    Conf file jamhome.us
<VirtualHost 173.246.104.35:443>
    ServerName      www.jamhome.us
    ServerAlias     jamhome.us

    GnuTLSEnable            on
    GnuTLSPriorities        NORMAL
    GnuTLSSessionTickets    on
    GNUTLSExportCertificates on

    GnuTLSCertificateFile   /path_to/certs/certificate-49851-jamhome.crt
    GnuTLSKeyFile           /path_to/private/jamhome_us.key
    GnuTLSClientCAFile      /path_to/certs/gandi-ca-2014.crt
# other options snipped
</VirtualHost>
End of jamhome.us

   Conf File michaelsnet.us
<VirtualHost  173.246.104.35:443>
    ServerName      www.michaelsnet.us
    ServerAlias     michaelsnet.us 

    GnuTLSEnable            on
    GnuTLSPriorities        NORMAL
    GnuTLSSessionTickets    on
    GNUTLSExportCertificates on

    GnuTLSCertificateFile   /etc/ssl/certs/certificate-49850-michaelsnet.crt
    GnuTLSKeyFile           /etc/ssl/private/michaelsnet_us.key
    GnuTLSClientCAFile      /etc/ssl/certs/gandi-ca-2014.crt
# other options snipped
</VirtualHost>
End of michaelsnet.us

   Conf File saunter.us
<VirtualHost 173.246.104.35:443>
    ServerName 	    www.saunter.us
    ServerAlias 	saunter.us 

    GnuTLSEnable            on
    GnuTLSSessionTickets    on
    GnuTLSPriorities        NORMAL
    GNUTLSExportCertificates on

    GnuTLSCertificateFile   /path_to/certs/certificate-100672-saunter.crt
    GnuTLSKeyFile           /path_to/private/saunter_us.key
    GnuTLSClientCAFile      /path_to/certs/gandi-ca-2014.crt
# other options snipped
</VirtualHost>
End of saunter.us

   Conf File gnutls.conf
<IfModule mod_gnutls.c>
  # all options commented out
</IfModule>
End of gnutls.conf

   Conf File ports.conf

NameVirtualHost *:80
Listen [::]:80
Listen 0.0.0.0:80

<IfModule mod_gnutls.c>
    Listen 443 https
    NameVirtualHost 173.246.104.35:443
</IfModule>
End of ports.conf


-- 
      Michael Rasmussen, Portland Oregon  
    Be Appropriate && Follow Your Curiosity
Objects in the calendar are closer than they appear.
	~  Michael Rasmussen

More information about the PLUG mailing list