Re: [exim] Certificate name mismatch over VPN

Góra strony
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
Dla: exim-users
Stare tematy: Re: [exim] Certificate name mismatch over VPN
Temat: Re: [exim] Certificate name mismatch over VPN
Probably a way too late :)

Alain D D Williams via Exim-users <exim-users@???> (Fr 30 Jul 2021 23:40:24 CEST):

> I do not think that I can do that here. The certificate is given to me by Let's
> Encrypt (le). Le verifies the (SNI) name by asking the agent to upload a nonce
> (a file with 86 random bytes) to where it can see it via a web server.
>
> Unfortunately mint-vpn.phcomp.co.uk should only be visible via the VPN so LE
> will not verify it and so not generate & sign a certificate that contains it.
>
> I suppose that I could hack Apache to allow an exception to
> /.well-known/acme-challenge/ from externally.


IMHO more elegant is to use LE's DNS challenge. The only precondition
is, that you need to own the DNS entry you want to have the certificate
for. (Actually you need write access to the `_acme-challenge.<your cert
name>`. DNS entry only once, if you drop there a CNAME to a writable DNS
entry.)

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -