> On Jun 10, 2019, at 2:39 PM, Paul Smith <paul@xxxxxxxxxxxxxxxxx> wrote: > > On Mon, 2019-06-10 at 14:23 -0400, Viktor Dukhovni wrote: >>> $ openssl s_client -connect admin0.domain:8004 \ >>> -CAfile ca.cert -verify_hostname admin0.domain >>> >>> --- >>> Verify return code: 62 (Hostname mismatch) >> >> It seems that you've elided too much information. Is the hostname >> really "admin0.domain", or is there some underlying domain name >> that you've obfuscated? > > I tried not to elide anything other than a lot of keys and stuff. > Maybe that info isn't output? > > That is actually the hostname (I have this running in a Docker > container to get the hostname set up without a lot of hassle). As a safety measure, OpenSSL does not support "*.tld" wildcards. The non-wildcard portion of the domain name needs to have at least two labels. It seems I've neglected to document this... :-( You can have "*.domain.example", but not "*.domain". -- Viktor.
