Re: [exim] Certificate name mismatch over VPN

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Olaf Hopp (SCC)
Date:  
À: exim-users
Sujet: Re: [exim] Certificate name mismatch over VPN
On 7/31/21 11:19 PM, Jeremy Harris via Exim-users wrote:
> On 30/07/2021 22:40, Alain D D Williams via Exim-users wrote:
>> I do not think that I can do that here. The certificate is given to me by Let's
>> Encrypt (le). Le verifies the (SNI) name by asking the agent to upload a nonce
>> (a file with 86 random bytes) to where it can see it via a web server.
>>
>> Unfortunately mint-vpn.phcomp.co.uk should only be visible via the VPN so LE
>> will not verify it and so not generate & sign a certificate that contains it.
>
> Earlier you said you could generate a cert for mint-vpn.
> Now you say you're using LE certs, and your problem is that
> the public name visible to LE for their very step isn't the vpn one.
>
> I'm confused.
>


Maybe this Snippet helps.
I use it presenting different Certs depending on the lokal IP / Interface of the current connection:

tls_certificate = ${if or { \
                                 {match_ip{$received_ip_address}{10.10.10.1}} \
                                 {match_ip{$received_ip_address}{<; fe80::250:56ff:fe83:3f6a}} \
                         }\
                         {/etc/pki/tls/certs/test.example.com.pem} \
                         {/etc/pki/tls/certs/foobar.example.com.pem} \
}
tls_privatekey = ${if or { \
                                 {match_ip{$received_ip_address}{10.10.10.1}} \
                                 {match_ip{$received_ip_address}{<; fe80::250:56ff:fe83:3f6a}} \
                         }\
                         {/etc/pki/tls/private/test.example.com.key} \
                         {/etc/pki/tls/private/foobar.example.com.key} \
}


Regards, Olaf



--
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)

Dipl.-Geophys. Olaf Hopp

Zirkel 2
Gebäude 20.21, Raum 316
76131 Karlsruhe

Telefon: +49 721 608-48009
E-Mail: Olaf.Hopp@???
Web: www.scc.kit.edu

Sitz der Körperschaft:
Kaiserstraße 12, 76131 Karlsruhe

KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft