Certificate returned is same for all subdomain


#1

Hello,

today, I try to make certificate for my server with sub domain.
I’ve 4 subdomain: chat, issues, confluence, repositories

For each subdomain, I make this command
letsencrypt certonly --agree-tos --rsa-key-size 4096 -m webmaster@osames.org -d <DOMAIN>.osames.org --renew-by-default

In apache 2.4, each virtualhost contains
SSLEngine On SSLCertificateFile /etc/letsencrypt/live/<DOMAIN>.osames.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/<DOMAIN>.osames.org/privkey.pem SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on
But, if I use portecle (java app) to check SSL/TLS connection, the response for chat.osames.org and issues.osames.org is the certificate for confluence.osames.org
(here picture: http://i.imgur.com/TjmdzAh.png)

How to make the certificate for each subdomain match the one requested ?

Thanks


#2

There is something odd with the way you are testing I suspect. For me all look OK …

user@serverco:~$ certinfo confluence.osames.org  
getting cert from server - confluence.osames.org

Certificate chain
 0 s:/CN=confluence.osames.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Certificate:
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Not Before: Feb 15 15:33:00 2017 GMT
Not After : May 16 15:33:00 2017 GMT
Subject: CN=confluence.osames.org
Public Key Algorithm: rsaEncryption
DNS:confluence.osames.org


user@serverco:~$ certinfo issues.osames.org  
getting cert from server - issues.osames.org

Certificate chain
 0 s:/CN=issues.osames.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Certificate:
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Not Before: Feb 15 15:32:00 2017 GMT
Not After : May 16 15:32:00 2017 GMT
Subject: CN=issues.osames.org
Public Key Algorithm: rsaEncryption
DNS:issues.osames.org


user@serverco:~$ certinfo chat.osames.org  
getting cert from server - chat.osames.org

Certificate chain
 0 s:/CN=chat.osames.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Certificate:
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Not Before: Feb 15 15:33:00 2017 GMT
Not After : May 16 15:33:00 2017 GMT
Subject: CN=chat.osames.org
Public Key Algorithm: rsaEncryption
DNS:chat.osames.org

#3

This seems to indicate that portecle does not support SNI prior to version 1.10 (released 2016-02-04). Without SNI, you’re effectively limited to one certificate per IP address.

SNI support is pretty good nowadays. If you really need to use software that does not support SNI, you can instead obtain one certificate that covers all your domain names (often called a multi-SAN certificate). You can do that by simply passing multiple -d arguments to the client, i.e. -d confluence.osames.org -d issues.osames.org ..., or alternatively get additional IP addresses and use one per certificate.


#4

I’d agree - the odd thing is if you check the IP (without SNI) then the cert is for cloud.osames.org


#5

Ok, I tested with KeyExplorer and i’ts correct.

I see with Atlassian why have one error:
2017-02-15 18:05:03,272 http-bio-8443-exec-4 ERROR anonymous 1085x566x1 - 213.47.56.124,0:0:0:0:0:0:0:1 / [c.a.g.r.internal.http.HttpClientFetcher] Unable to perform a request to: https://issues.osames.org/rest/gadgets/1.0/g/messagebundle/und/gadget.common%2Cgadget.project javax.net.ssl.SSLPeerUnverifiedException: Host name 'issues.osames.org' does not match the certificate subject provided by the peer (CN=cloud.osames.org)

Because I verified my java keystore and he have the good informations.

Thanks.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.