On 7/31/21 11:19 PM, Jeremy Harris via Exim-users wrote:
> On 30/07/2021 22:40, Alain D D Williams via Exim-users wrote:
>> I do not think that I can do that here. The certificate is given to me by Let's
>> Encrypt (le). Le verifies the (SNI) name by asking the agent to upload a nonce
>> (a file with 86 random bytes) to where it can see it via a web server.
>>
>> Unfortunately mint-vpn.phcomp.co.uk should only be visible via the VPN so LE
>> will not verify it and so not generate & sign a certificate that contains it.
>
> Earlier you said you could generate a cert for mint-vpn.
> Now you say you're using LE certs, and your problem is that
> the public name visible to LE for their very step isn't the vpn one.
>
> I'm confused.
>
Maybe this Snippet helps.
I use it presenting different Certs depending on the lokal IP / Interface of the current connection:
tls_certificate = ${if or { \
{match_ip{$received_ip_address}{10.10.10.1}} \
{match_ip{$received_ip_address}{<; fe80::250:56ff:fe83:3f6a}} \
}\
{/etc/pki/tls/certs/test.example.com.pem} \
{/etc/pki/tls/certs/foobar.example.com.pem} \
}
tls_privatekey = ${if or { \
{match_ip{$received_ip_address}{10.10.10.1}} \
{match_ip{$received_ip_address}{<; fe80::250:56ff:fe83:3f6a}} \
}\
{/etc/pki/tls/private/test.example.com.key} \
{/etc/pki/tls/private/foobar.example.com.key} \
}
Regards, Olaf
--
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)
Dipl.-Geophys. Olaf Hopp
Zirkel 2
Gebäude 20.21, Raum 316
76131 Karlsruhe
Telefon: +49 721 608-48009
E-Mail: Olaf.Hopp@???
Web:
www.scc.kit.edu
Sitz der Körperschaft:
Kaiserstraße 12, 76131 Karlsruhe
KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft
