I am using SAN certificate to provide support for Android 2 and Windows XP. I was already using Comodo certificated and it was working nicely. I tried to switch to LE but now I am getting error about incorrect domain name (screenshot - https://db.tt/T8OseNpg)
Server config is the same (I used certonly and installed certificate manualy) and when I decode old (Comodo) and new (LE) certificated, I can’t see any difference (except for signature etc.).
Browser is getting correct certificate, but it is ignoring alternative domains.
Any ideas what am I doing wrong? Live example: https://www.jadi.cz (only without SNI - modern browser are getting different certificate)
could you show a shot of you browser showing the correct cert, including the SAN?
because you say that the browser is getting the correct one…
I dont have such old stuff to test it myself.
hmm… now the question is: does IE8 on XP even recognize SAN?
winxp is quite some old stuff and similar to android 2 it’s going down, slowly, but for sure.
according to the android stuff there’s like 4% of android devices active with <4.0
Believe Cloudflare does that ? BoringSSL supports equal preference ssl cipher/ssl certs but not many web servers use BoringSSL as opposed to OpenSSL or LibreSSL.
Wikimedia foundation has patched Nginx for multple SSL certificate support see Multiple certificate support revisited. So hoping Nginx would merge such patches eventually
We've forward-ported Filipe's Apr 27 variant onto Debian's 1.9.3-1
package. Most of the porting was trivial (offsets / whitespace /
etc). There were a couple of slightly more substantial issues around
the newer OCSP Stapling valid-timestamp checking, and the porting of
the general multi-cert work to the newer stream modules. The
ported/updated variant of the patches we're running is available here
in our repo:
Our configuration uses a pair of otherwise-identical RSA and ECDSA
keys and an external OCSP ssl_stapling_file (certs are from
GlobalSign, chain/OCSP info is identical in the pair). Our typical
relevant config fragment in the server section looks like this:
ssllabs reports for https://www.jadi.cz/ 2 ips on Amazon EC2, 1 ip covers non-www and www version but other ip only covers www version of domain without non-www coverage
I copied your certificate to My Computer (winxp sp3).
Then display something like this:
meaning is : "Name of the certificate is invalid, this name is not included in the Allow list or directly excluded. "
However, there is no problem in win7 system.
This may be the operating system does not support.
Feels like a problem with the interpretation of Name Constraints in Windows XP…
Just found a blog post about it… https://unmitigatedrisk.com/?p=201
So… I am not sure if we need to reissue a new Root Cert if we need to support XP…