>> The ocserv config allows for multiple certificates and keys to be >> specified, but it?s unclear to me how to bind a specific certificate >> to a specific hostname. I had hoped ocserv would do this >> automatically, > > It can do it, but you have to use a very recent gnutls (i.e., 3.4.12, > 3.3.23 or greater). That worked. Thanks! BTW, I did run into an unrelated issue: When briefly trying chain.pem instead of fullchain.pem (as provided by letsencrypt) ocserv wouldn?t start. Instead it flooded the log with this: Jun 12 22:11:31 seattle-1 ocserv[26991]: sec-mod: error receiving msg head from main Jun 12 22:11:31 seattle-1 ocserv[26991]: sec-mod: error receiving msg head from main Jun 12 22:11:31 seattle-1 ocserv[26991]: sec-mod: error receiving msg head from main Jun 12 22:11:31 seattle-1 ocserv[26991]: sec-mod: error receiving msg head from main Jun 12 22:11:31 seattle-1 ocserv[26991]: sec-mod: error receiving msg head from main Jun 12 22:11:31 seattle-1 ocserv[26991]: sec-mod: error receiving msg head from main Jun 12 22:11:31 seattle-1 ocserv[26991]: sec-mod: error receiving msg head from main Jun 12 22:11:31 seattle-1 ocserv[26991]: sec-mod: error receiving msg head from main Jun 12 22:11:31 seattle-1 ocserv[26991]: sec-mod: error receiving msg head from main Jun 12 22:11:31 seattle-1 ocserv[26991]: sec-mod: error receiving msg head from main etc.. Regards, Niels -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160612/8bc5cba6/attachment.sig>