I support some customers who use SNI and this is far and away the most frequent problem we see:
https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI and this is my favorite tool for anaylzing SSL issues: http://ssllabs.com It doesn't have much of interest to say about saunter.us except: This site works only in browsers with SNI support. Interestingly, it does not say the same thing about jamhome.us On Wed, Nov 26, 2014 at 7:04 AM, Michael Rasmussen <mich...@jamhome.us> wrote: > I have three SSL enabled hosts on an Apache web server with SSL services > provided by GnuTLS. > > mod_ssl does not support (at least at the time I first set these up) SNI. > > SSL is working properly for two of the three jamhome.us and michaelsnet.us > The third site, saunter.us, is having the jamhome.us SSL cert provided > resulting in a > ERR_CERT_COMMON_NAME_INVALID > > debug level logging is enabled for Apache. > > When Firefox is used to access saunter.us this message is recorded: > [Wed Nov 26 06:43:50 2014] [info] GnuTLS: Fatal Alert From Client: (42) > 'Certificate is bad' > > (Side note: Chrome does not trigger that log message. > > Certificates have been validated, a CSR decoder was used to validate the > CSR I submitted for the saunter.us cert. > > I've run out of troubleshooting ideas. What suggestions do you have? > > Relevent portions of config files follow. > > Conf file jamhome.us > <VirtualHost 173.246.104.35:443> > ServerName www.jamhome.us > ServerAlias jamhome.us > > GnuTLSEnable on > GnuTLSPriorities NORMAL > GnuTLSSessionTickets on > GNUTLSExportCertificates on > > GnuTLSCertificateFile /path_to/certs/certificate-49851-jamhome.crt > GnuTLSKeyFile /path_to/private/jamhome_us.key > GnuTLSClientCAFile /path_to/certs/gandi-ca-2014.crt > # other options snipped > </VirtualHost> > End of jamhome.us > > Conf File michaelsnet.us > <VirtualHost 173.246.104.35:443> > ServerName www.michaelsnet.us > ServerAlias michaelsnet.us > > GnuTLSEnable on > GnuTLSPriorities NORMAL > GnuTLSSessionTickets on > GNUTLSExportCertificates on > > GnuTLSCertificateFile > /etc/ssl/certs/certificate-49850-michaelsnet.crt > GnuTLSKeyFile /etc/ssl/private/michaelsnet_us.key > GnuTLSClientCAFile /etc/ssl/certs/gandi-ca-2014.crt > # other options snipped > </VirtualHost> > End of michaelsnet.us > > Conf File saunter.us > <VirtualHost 173.246.104.35:443> > ServerName www.saunter.us > ServerAlias saunter.us > > GnuTLSEnable on > GnuTLSSessionTickets on > GnuTLSPriorities NORMAL > GNUTLSExportCertificates on > > GnuTLSCertificateFile /path_to/certs/certificate-100672-saunter.crt > GnuTLSKeyFile /path_to/private/saunter_us.key > GnuTLSClientCAFile /path_to/certs/gandi-ca-2014.crt > # other options snipped > </VirtualHost> > End of saunter.us > > Conf File gnutls.conf > <IfModule mod_gnutls.c> > # all options commented out > </IfModule> > End of gnutls.conf > > Conf File ports.conf > > NameVirtualHost *:80 > Listen [::]:80 > Listen 0.0.0.0:80 > > <IfModule mod_gnutls.c> > Listen 443 https > NameVirtualHost 173.246.104.35:443 > </IfModule> > End of ports.conf > > > -- > Michael Rasmussen, Portland Oregon > Be Appropriate && Follow Your Curiosity > Objects in the calendar are closer than they appear. > ~ Michael Rasmussen > _______________________________________________ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
