On Fri, Jul 30, 2021 at 03:01:50PM -0400, Exim Users wrote: > On Fri, Jul 30, 2021 at 07:29:33PM +0100, Alain D D Williams via Exim-users > wrote: > > > I get this error in B's log, it is complaining that M's certificate is using > > the public name, not the VPN name: > > > > [78.32.209.33] SSL verify error: certificate name mismatch: > > DN="/CN=freshmint.phcomp.co.uk" H="mint-vpn.phcomp.co.uk" > > > > I could generate a certificate that is for 'mint-vpn' without much problem. > > > > My question > > > > How to I get exim on M to present the 'mint-vpn' certificate to > > connections that come over the VPN ? > > Exim supports SNI-based server certificate selection. Configure the > appropriate certificate for each SNI name. Configure the VPN client > to send SNI, and otherwise default to the public IP name.
Yes: that works on my machine B - which has several names, the certificate has several SNI names in it. I do not think that I can do that here. The certificate is given to me by Let's Encrypt (le). Le verifies the (SNI) name by asking the agent to upload a nonce (a file with 86 random bytes) to where it can see it via a web server. Unfortunately mint-vpn.phcomp.co.uk should only be visible via the VPN so LE will not verify it and so not generate & sign a certificate that contains it. I suppose that I could hack Apache to allow an exception to /.well-known/acme-challenge/ from externally. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 https://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html #include <std_disclaimer.h> -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/