[PLUG] Troubleshooting SSL Configuration for SNI
chris (fool) mccraw
gently at gmail.com
Wed Nov 26 16:50:46 UTC 2014
I support some customers who use SNI and this is far and away the most
frequent problem we see:
https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
and this is my favorite tool for anaylzing SSL issues:
http://ssllabs.com
It doesn't have much of interest to say about saunter.us except: This site
works only in browsers with SNI support.
Interestingly, it does not say the same thing about jamhome.us
On Wed, Nov 26, 2014 at 7:04 AM, Michael Rasmussen <michael at jamhome.us>
wrote:
> I have three SSL enabled hosts on an Apache web server with SSL services
> provided by GnuTLS.
>
> mod_ssl does not support (at least at the time I first set these up) SNI.
>
> SSL is working properly for two of the three jamhome.us and michaelsnet.us
> The third site, saunter.us, is having the jamhome.us SSL cert provided
> resulting in a
> ERR_CERT_COMMON_NAME_INVALID
>
> debug level logging is enabled for Apache.
>
> When Firefox is used to access saunter.us this message is recorded:
> [Wed Nov 26 06:43:50 2014] [info] GnuTLS: Fatal Alert From Client: (42)
> 'Certificate is bad'
>
> (Side note: Chrome does not trigger that log message.
>
> Certificates have been validated, a CSR decoder was used to validate the
> CSR I submitted for the saunter.us cert.
>
> I've run out of troubleshooting ideas. What suggestions do you have?
>
> Relevent portions of config files follow.
>
> Conf file jamhome.us
> <VirtualHost 173.246.104.35:443>
> ServerName www.jamhome.us
> ServerAlias jamhome.us
>
> GnuTLSEnable on
> GnuTLSPriorities NORMAL
> GnuTLSSessionTickets on
> GNUTLSExportCertificates on
>
> GnuTLSCertificateFile /path_to/certs/certificate-49851-jamhome.crt
> GnuTLSKeyFile /path_to/private/jamhome_us.key
> GnuTLSClientCAFile /path_to/certs/gandi-ca-2014.crt
> # other options snipped
> </VirtualHost>
> End of jamhome.us
>
> Conf File michaelsnet.us
> <VirtualHost 173.246.104.35:443>
> ServerName www.michaelsnet.us
> ServerAlias michaelsnet.us
>
> GnuTLSEnable on
> GnuTLSPriorities NORMAL
> GnuTLSSessionTickets on
> GNUTLSExportCertificates on
>
> GnuTLSCertificateFile
> /etc/ssl/certs/certificate-49850-michaelsnet.crt
> GnuTLSKeyFile /etc/ssl/private/michaelsnet_us.key
> GnuTLSClientCAFile /etc/ssl/certs/gandi-ca-2014.crt
> # other options snipped
> </VirtualHost>
> End of michaelsnet.us
>
> Conf File saunter.us
> <VirtualHost 173.246.104.35:443>
> ServerName www.saunter.us
> ServerAlias saunter.us
>
> GnuTLSEnable on
> GnuTLSSessionTickets on
> GnuTLSPriorities NORMAL
> GNUTLSExportCertificates on
>
> GnuTLSCertificateFile /path_to/certs/certificate-100672-saunter.crt
> GnuTLSKeyFile /path_to/private/saunter_us.key
> GnuTLSClientCAFile /path_to/certs/gandi-ca-2014.crt
> # other options snipped
> </VirtualHost>
> End of saunter.us
>
> Conf File gnutls.conf
> <IfModule mod_gnutls.c>
> # all options commented out
> </IfModule>
> End of gnutls.conf
>
> Conf File ports.conf
>
> NameVirtualHost *:80
> Listen [::]:80
> Listen 0.0.0.0:80
>
> <IfModule mod_gnutls.c>
> Listen 443 https
> NameVirtualHost 173.246.104.35:443
> </IfModule>
> End of ports.conf
>
>
> --
> Michael Rasmussen, Portland Oregon
> Be Appropriate && Follow Your Curiosity
> Objects in the calendar are closer than they appear.
> ~ Michael Rasmussen
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list