Did you add the CA chain cert to domaina.pem? Also the order may be important. I make them
1. key 2. cert 3. chain-auth-cert order seems to work. My organization use commodo certs. This worked on 2.6, although I went to 2.7 because it handles multiple UCC certs. 2.6 did not, I found. -R Sent from my Samsung Galaxy smartphone. -------- Original message -------- From: Filidor Wiese Date:22/08/2014 19:54 (GMT+10:00) To: [email protected] Subject: [Pound Mailing List] Pound SNI and SAN matching Hi again! So I've successfully setup Pound to serve SSL for several domains using multiple certs (SNI). However I'm still faced with one problem. For a domain, let's call it domaina.com, I have installed a basic Comodo EssentialSSL certificate on the common-name www.domaina.com<http://www.domaina.com>. As a service Comodo adds the naked domain, domaina.com, as a Subject Alternative Names (SAN) to the certificate. Pound however doesn't seem to recognize this naked-domain when matching an incoming request and instead serves out the first certificate defined. I've triple checked the certificate and it shows both domaina.com as well as www.domaina.com<http://www.domaina.com>. My config: ListenHTTPS Address my-public-ip Port 443 RewriteLocation 0 xHTTP 0 Cert "/etc/pound/ca/domainb.pem" Cert "/etc/pound/ca/domainc.pem" Cert "/etc/pound/ca/domaina.pem" Service Backend Address 127.0.0.1 Port 8080 End End End Using Pound version 2.6-2 on Debian Wheezy Any one has any idea what could be wrong? Thanks in advance, Filidor Wiese -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
