GetSSL and SAN certifcates


#1

Looking at the documentation I think GetSSL works on a per host basic and can’t generate SAN certifiactes… but I could be misreading, is this correct?

And the apache config changes need to be done manually? Not an issue per se.


#2

the GetSSL page - https://github.com/srvrco/getssl is generally the best place to get specific help on it ( as with any client ). I often check on here though, so I’ll continue here :slight_smile:

You can specify SANS in the getssl.cfg file for the domain. The limit is 100 domains per certificate (and the domains don’t need to be related )

# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS=www.example.org,example.edu,example.net,example.org,www.example.com,www.example.edu,www.example.net

Correct, you would need to make the changes to apache manually.


#3

OK, so they don’t all have to be “xxample.xxx”? one could have
SANS=example.com,fred.net,bill.co.uk etc?


#4

correct,

(added text … just because there is a 20 char limit)


#5

OK, dumb question No. 2

What 's the Acme Challenge Location?

Sites here are stored in /var/www/html/example.com/
Though for instance there are some symlinks ie /var/www/html/example.net is a symlink to /var/www/html/example.com


#6

it’s basically your rot directory for the domain with /.well-known/acme-challenge on the ended usually. i.e. the place you would need to stire a file for it to show up at your-domain.com/.well-known/acme-challenge/xxx in the browser

It doesn’t matter if you use the symlink or not, so in the example above it would be either
/var/www/html/example.com/.well-known/acme-challenge
or
/var/www/html/example.net/.well-known/acme-challenge
(since both go to the same place effectively).

You will need to have an ACL for every domain / SAN in your certificate.


#7

OK, but it doesn’t matter if the location is actually the same place after a symlink is followed?


#8

Nope, all that’s going to happen is Let’s Encrypt will try to access http://example.net/.well-known/acme-challenge/blahblah from somewhere out on the Internet and they need to find the content made by getssl to prove you control example.net, putting files in a directory is just one easy way to achieve that.


#9

OK, I think we’re cooking- Thanks guys.

I guess a "tes"t certificatefrom the staging server would produce the following in Firefox-

Your connection is not secure

The owner of holtain.net has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.


#10

Yes - if you check who signed it, it will be “Fake Let’s Encrypt” or something similar. That means everything is set up / working nicely - so just change to the live LE server, and force the issuance of a new cert ( use the -f or --force option ).


#11

Just have a minor apache config issue the find before trying to go live.

Stopping httpd: [ OK ]
Starting httpd: [Fri Nov 25 16:38:11 2016] [warn] default VirtualHost overlap on port 443, the first has precedence
[ OK ]


#12

That looks like something in your edit of the apache config. I’d do a grep for 443 in all the configs, and see where you have the ones for “default” rather than a specific domain name.


#13

A missing-
NameVirtualHost *:443

:slight_smile:


#14

Not quite :frowning:
Seems apache is serving the certificate defined in ssl.comf and not the specific one Iin the domain’s conf-

ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLOptions +StdEnvVars SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

If I cheat ans change this default to listen on port 444 then the correct certificate is served.


#15

can you paste your complete ssl.conf and domain conf ( for apache ) at pastebin.com (or somewhere else where I can see the raw file easily ). This forum formats some of it (alternatively enclose here in 3 backticks on the line before and the line after the paste ).


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.