Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re^3: Certificate confusion (was: Clear text passwords)

by LanX (Saint)
on Jun 08, 2018 at 00:50 UTC ( [id://1216159]=note: print w/replies, xml ) Need Help??


in reply to Re^2: All my links turned red (was: Clear text passwords)
in thread Clear text passwords

It's confusing I sometimes get the *.pairsite.com certificate for https://perlmonks.org/ , which I have to accept manually.

Since I remember that we are using at least two servers for load balancing, my first guess is that one of the apaches has the wrong cert-file in place.

For me:

all other combinations I tried required a manual exception.

update

Forgot to test *.perlmonks.net with Firefox, but they seem to work fine with my mobile browser.

Cheers Rolf
(addicted to the Perl Programming Language :)
Wikisyntax for the Monastery

Replies are listed 'Best First'.
Re^4: Certificate confusion (was: Clear text passwords)
by trippledubs (Deacon) on Jun 08, 2018 at 06:17 UTC
    dig shows 3 IPs being round robin'd (robinned?). The Let's Encrypt SAN cert works on (www\.)?perlmonks\.(org)|(com)|(net), but the pairsite wildcard cert will only work on the pairsite domain, one subdomain deep. So www.perlmonks.pairsite.com will not work, authentication wise, with either cert. 3 Servers, 8 urls, 2 certs, one of which expires every 90 days, not the most enjoyable way to spend free time, I'm sure.

      Interestingly it looks like it has been setup correctly on 2 of the 3 servers

      $ host www.perlmonks.org www.perlmonks.org is an alias for perlmonks.org. perlmonks.org has address 209.197.123.153 perlmonks.org has address 66.39.54.27 perlmonks.org has address 216.92.34.251 $ openssl s_client -showcerts -servername www.perlmonks.org -connect 2 +09.197.123.153:443 </dev/null 2>&1| grep subject subject=/C=US/postalCode=15203/ST=Pennsylvania/L=Pittsburgh/street=Sui +te 510/street=2403 Sidney Street/O=pair Networks, Inc./OU=Provided by + pair Networks/OU=PairWildcardSSL $250,000/CN=*.pairsite.com $ openssl s_client -showcerts -servername www.perlmonks.org -connect 6 +6.39.54.27:443 </dev/null 2>&1| grep subject subject=/CN=perlmonks.org $ openssl s_client -showcerts -servername www.perlmonks.org -connect 2 +16.92.34.251:443 </dev/null 2>&1| grep subject subject=/CN=perlmonks.org
      There is more than one way to set up Apache to rewrite and find the cert.

      I'm sure the admins will find a stable way.

      The short term certificate is surely only meant for testing.

        The short term certificate is surely only meant for testing.

        Nope, that's how Let's Encrypt certs work. Why 90 days?

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1216159]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others perusing the Monastery: (6)
As of 2024-03-29 01:19 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found