Re: [exim] Certificate name mismatch over VPN
Probably a way too late :)
Alain D D Williams via Exim-users (Fr 30 Jul 2021
23:40:24 CEST):
…
> I do not think that I can do that here. The certificate is given to me by
> Let's
> Encrypt (le). Le verifies the (SNI) name by asking the agent to upload a nonce
> (a file with 86 random bytes) to where it can see it via a web server.
>
> Unfortunately mint-vpn.phcomp.co.uk should only be visible via the VPN so LE
> will not verify it and so not generate & sign a certificate that contains it.
>
> I suppose that I could hack Apache to allow an exception to
> /.well-known/acme-challenge/ from externally.
IMHO more elegant is to use LE's DNS challenge. The only precondition
is, that you need to own the DNS entry you want to have the certificate
for. (Actually you need write access to the `_acme-challenge.`. DNS entry only once, if you drop there a CNAME to a writable DNS
entry.)
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Certificate name mismatch over VPN
On Sun, Aug 01, 2021 at 03:30:49PM +0200, Exim Users wrote: > Maybe this Snippet helps. > I use it presenting different Certs depending on the lokal IP / Interface of > the current connection: Ah, that looks like the sort of thing that I was looking for. I have just hacked my Apache config to allow Let's Encrypt (well, anyone) access to the directory /.well-known/acme-challenge/ and so now have a certificate that I can let exim use - and this works. I shall keep a note of this for use on other occasions. Many thanks. PS: I did this on a Debian 10 box. I am doing similar on a CentOS box which has the added delight of getting the file labelling right to work under SElinux :-) > Regards, Olaf > > > > -- > Karlsruher Institut für Technologie (KIT) > Steinbuch Centre for Computing (SCC) -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 https://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html #include -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Certificate name mismatch over VPN
On 7/31/21 11:19 PM, Jeremy Harris via Exim-users wrote:
On 30/07/2021 22:40, Alain D D Williams via Exim-users wrote:
I do not think that I can do that here. The certificate is given to me by Let's
Encrypt (le). Le verifies the (SNI) name by asking the agent to upload a nonce
(a file with 86 random bytes) to where it can see it via a web server.
Unfortunately mint-vpn.phcomp.co.uk should only be visible via the VPN so LE
will not verify it and so not generate & sign a certificate that contains it.
Earlier you said you could generate a cert for mint-vpn.
Now you say you're using LE certs, and your problem is that
the public name visible to LE for their very step isn't the vpn one.
I'm confused.
Maybe this Snippet helps.
I use it presenting different Certs depending on the lokal IP / Interface of
the current connection:
tls_certificate = ${if or { \
{match_ip{$received_ip_address}{10.10.10.1}} \
{match_ip{$received_ip_address}{<;
fe80::250:56ff:fe83:3f6a}} \
}\
{/etc/pki/tls/certs/test.example.com.pem} \
{/etc/pki/tls/certs/foobar.example.com.pem} \
}
tls_privatekey = ${if or { \
{match_ip{$received_ip_address}{10.10.10.1}} \
{match_ip{$received_ip_address}{<;
fe80::250:56ff:fe83:3f6a}} \
}\
{/etc/pki/tls/private/test.example.com.key} \
{/etc/pki/tls/private/foobar.example.com.key} \
}
Regards, Olaf
--
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)
Dipl.-Geophys. Olaf Hopp
Zirkel 2
Gebäude 20.21, Raum 316
76131 Karlsruhe
Telefon: +49 721 608-48009
E-Mail: olaf.h...@kit.edu
Web: www.scc.kit.edu
Sitz der Körperschaft:
Kaiserstraße 12, 76131 Karlsruhe
KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft
smime.p7s
Description: S/MIME Cryptographic Signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Certificate name mismatch over VPN
On 30/07/2021 22:40, Alain D D Williams via Exim-users wrote: I do not think that I can do that here. The certificate is given to me by Let's Encrypt (le). Le verifies the (SNI) name by asking the agent to upload a nonce (a file with 86 random bytes) to where it can see it via a web server. Unfortunately mint-vpn.phcomp.co.uk should only be visible via the VPN so LE will not verify it and so not generate & sign a certificate that contains it. Earlier you said you could generate a cert for mint-vpn. Now you say you're using LE certs, and your problem is that the public name visible to LE for their very step isn't the vpn one. I'm confused. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Certificate name mismatch over VPN
On Fri, Jul 30, 2021 at 03:01:50PM -0400, Exim Users wrote: > On Fri, Jul 30, 2021 at 07:29:33PM +0100, Alain D D Williams via Exim-users > wrote: > > > I get this error in B's log, it is complaining that M's certificate is using > > the public name, not the VPN name: > > > > [78.32.209.33] SSL verify error: certificate name mismatch: > > DN="/CN=freshmint.phcomp.co.uk" H="mint-vpn.phcomp.co.uk" > > > > I could generate a certificate that is for 'mint-vpn' without much problem. > > > > My question > > > > How to I get exim on M to present the 'mint-vpn' certificate to > > connections that come over the VPN ? > > Exim supports SNI-based server certificate selection. Configure the > appropriate certificate for each SNI name. Configure the VPN client > to send SNI, and otherwise default to the public IP name. Yes: that works on my machine B - which has several names, the certificate has several SNI names in it. I do not think that I can do that here. The certificate is given to me by Let's Encrypt (le). Le verifies the (SNI) name by asking the agent to upload a nonce (a file with 86 random bytes) to where it can see it via a web server. Unfortunately mint-vpn.phcomp.co.uk should only be visible via the VPN so LE will not verify it and so not generate & sign a certificate that contains it. I suppose that I could hack Apache to allow an exception to /.well-known/acme-challenge/ from externally. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 https://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html #include -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Certificate name mismatch over VPN
On Fri, Jul 30, 2021 at 07:29:33PM +0100, Alain D D Williams via Exim-users wrote: > I get this error in B's log, it is complaining that M's certificate is using > the public name, not the VPN name: > > [78.32.209.33] SSL verify error: certificate name mismatch: > DN="/CN=freshmint.phcomp.co.uk" H="mint-vpn.phcomp.co.uk" > > I could generate a certificate that is for 'mint-vpn' without much problem. > > My question > > How to I get exim on M to present the 'mint-vpn' certificate to > connections that come over the VPN ? Exim supports SNI-based server certificate selection. Configure the appropriate certificate for each SNI name. Configure the VPN client to send SNI, and otherwise default to the public IP name. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Certificate name mismatch over VPN
I have 2 machines that are on a self hosts VPN, call them B and M. Both machines are visible on the Internet. When B wants to send email to M it will route it over the VPN rather than sending it to M's public Internet address. freshmint.phcomp.co.uk is M's public Internet name mint-vpn.phcomp.co.uk is M's VPN name I use certificates obtained from Let's Encrypt which is validates using the web server that each machine has - this seems to work well. Let's encrypt can validate the 'freshmint' name but not the 'mint-vpn' name ... that is only visible through the VPN. I get this error in B's log, it is complaining that M's certificate is using the public name, not the VPN name: [78.32.209.33] SSL verify error: certificate name mismatch: DN="/CN=freshmint.phcomp.co.uk" H="mint-vpn.phcomp.co.uk" I could generate a certificate that is for 'mint-vpn' without much problem. My question How to I get exim on M to present the 'mint-vpn' certificate to connections that come over the VPN ? Presumably I would need to do something like this: tls_certificate = /etc/exim/mint-vpn.crt tls_privatekey = /etc/exim/mint-vpn.key But where ? What condition could I use ? The other way would be to not advertise TLS over my VPN with something like: tls_advertise_hosts = ! 10.200.201.0/24 Thanks in advance -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 https://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html #include -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
