On 7/31/21 11:19 PM, Jeremy Harris via Exim-users wrote:
On 30/07/2021 22:40, Alain D D Williams via Exim-users wrote:I do not think that I can do that here. The certificate is given to me by Let's Encrypt (le). Le verifies the (SNI) name by asking the agent to upload a nonce (a file with 86 random bytes) to where it can see it via a web server.Unfortunately mint-vpn.phcomp.co.uk should only be visible via the VPN so LE will not verify it and so not generate & sign a certificate that contains it.Earlier you said you could generate a cert for mint-vpn. Now you say you're using LE certs, and your problem is that the public name visible to LE for their very step isn't the vpn one. I'm confused.
Maybe this Snippet helps.
I use it presenting different Certs depending on the lokal IP / Interface of
the current connection:
tls_certificate = ${if or { \
{match_ip{$received_ip_address}{10.10.10.1}} \
{match_ip{$received_ip_address}{<;
fe80::250:56ff:fe83:3f6a}} \
}\
{/etc/pki/tls/certs/test.example.com.pem} \
{/etc/pki/tls/certs/foobar.example.com.pem} \
}
tls_privatekey = ${if or { \
{match_ip{$received_ip_address}{10.10.10.1}} \
{match_ip{$received_ip_address}{<;
fe80::250:56ff:fe83:3f6a}} \
}\
{/etc/pki/tls/private/test.example.com.key} \
{/etc/pki/tls/private/foobar.example.com.key} \
}
Regards, Olaf
--
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)
Dipl.-Geophys. Olaf Hopp
Zirkel 2
Gebäude 20.21, Raum 316
76131 Karlsruhe
Telefon: +49 721 608-48009
E-Mail: [email protected]
Web: www.scc.kit.edu
Sitz der Körperschaft:
Kaiserstraße 12, 76131 Karlsruhe
KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft
smime.p7s
Description: S/MIME Cryptographic Signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
