On Tue, 2023-05-02 at 16:51 +0930, Tim via users wrote: > On Mon, 2023-05-01 at 23:21 +0100, Patrick O'Callaghan wrote: > > My small web server appears to be working and even has https, > > however > > I've noticed this in /var/log/httpd/ssl_error_log: > > > > [...] AH01909: bree.org.uk:443:0 server certificate does NOT > > include an ID which matches the server name > > > > The ServerName is set to bree.org.uk, and that's the name under > > which I > > obtained the certificate, so I'm not sure what's going on here. > > Since the site isn't loading at the moment, I can't look at things. > But... > Apologies, I suspend the machine at night to save on electricity (as I said, it's just for personal use) so it would have been off when you tried. It suspends at about 3am local time (UK) and I wake it manually in the morning. As I'm retired, this can vary from day to day. > It's typical to make sure that domain name and any subdomains you > might > use, or other people might use, are included. In your case, that'd > be > bree.org.uk and www.bree.org.uk. Whether or not you intend to use > the > www subdomain, other people might do it automatically. It's as well > to > prepare for it. > I'm aware of that and intend to do it once I figure it out. > And you may want to include mail servers, if you'll use the same > certificate with them (now, or in the future). Some people do a > wildcard (e.g. *.bree.org.uk). It could be a bit of future proofing. > But if you're in the position of regularly updating your certificate, > you can just add things as you want to. > I don't envisage running a mail server, but sure. > A problem with SSL used to be (and can still be with some things), is > that while you could have a multitude of different HTTP servers at > the > same IP address (the browser connecting would include the desired > websites's *name* in the request, the server would look at that and > serve you the correct website), that *wasn't* possible with HTTPS but > *now* is. The more recent addition of SNI into the HTTPS connection > allowed that requested site's name to go into the request when you > connect to the IP. > It doesn't seem to have an SNI entry (see my reply to Barry). poc _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
