Re: [exim] Certificate name mismatch over VPN

Top Page
Delete this message
Reply to this message
Author: Alain D D Williams
Date:  
To: exim-users
New-Topics: Re: [exim] Certificate name mismatch over VPN
Subject: Re: [exim] Certificate name mismatch over VPN
On Fri, Jul 30, 2021 at 03:01:50PM -0400, Exim Users wrote:
> On Fri, Jul 30, 2021 at 07:29:33PM +0100, Alain D D Williams via Exim-users wrote:
>
> > I get this error in B's log, it is complaining that M's certificate is using
> > the public name, not the VPN name:
> >
> > [78.32.209.33] SSL verify error: certificate name mismatch: DN="/CN=freshmint.phcomp.co.uk" H="mint-vpn.phcomp.co.uk"
> >
> > I could generate a certificate that is for 'mint-vpn' without much problem.
> >
> > My question
> >
> > How to I get exim on M to present the 'mint-vpn' certificate to
> > connections that come over the VPN ?
>
> Exim supports SNI-based server certificate selection. Configure the
> appropriate certificate for each SNI name. Configure the VPN client
> to send SNI, and otherwise default to the public IP name.


Yes: that works on my machine B - which has several names, the certificate has
several SNI names in it.

I do not think that I can do that here. The certificate is given to me by Let's
Encrypt (le). Le verifies the (SNI) name by asking the agent to upload a nonce
(a file with 86 random bytes) to where it can see it via a web server.

Unfortunately mint-vpn.phcomp.co.uk should only be visible via the VPN so LE
will not verify it and so not generate & sign a certificate that contains it.

I suppose that I could hack Apache to allow an exception to
/.well-known/acme-challenge/ from externally.

--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>