Re: [exim] Certificate name mismatch over VPN

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Heiko Schlittermann
Datum:  
To: exim-users
Alte Treads: Re: [exim] Certificate name mismatch over VPN
Betreff: Re: [exim] Certificate name mismatch over VPN
Probably a way too late :)

Alain D D Williams via Exim-users <exim-users@???> (Fr 30 Jul 2021 23:40:24 CEST):

> I do not think that I can do that here. The certificate is given to me by Let's
> Encrypt (le). Le verifies the (SNI) name by asking the agent to upload a nonce
> (a file with 86 random bytes) to where it can see it via a web server.
>
> Unfortunately mint-vpn.phcomp.co.uk should only be visible via the VPN so LE
> will not verify it and so not generate & sign a certificate that contains it.
>
> I suppose that I could hack Apache to allow an exception to
> /.well-known/acme-challenge/ from externally.


IMHO more elegant is to use LE's DNS challenge. The only precondition
is, that you need to own the DNS entry you want to have the certificate
for. (Actually you need write access to the `_acme-challenge.<your cert
name>`. DNS entry only once, if you drop there a CNAME to a writable DNS
entry.)

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -