Timo announced:> https://dovecot.org/releases/2.2/dovecot-2.2.27.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.27.tar.gz.sig > > Note that the download URLs are now https with a certificate from Let's Encrypt.wget complained about ERROR: certificate common name `wiki.dovecot.org' doesn't match requested host name `dovecot.org'. and indeed, the certificate CN and download URL is mismatched. The nice thing about Let's Encrypt is that it's easy to (re)generate the certitcate with SANs to get rid of this mismatch. Browser didn't complain though. Joseph Tam <jtam.home at gmail.com>
> On December 5, 2016 at 9:55 PM Joseph Tam <jtam.home at gmail.com> wrote: > > > > Timo announced: > > > https://dovecot.org/releases/2.2/dovecot-2.2.27.tar.gz > > https://dovecot.org/releases/2.2/dovecot-2.2.27.tar.gz.sig > > > > Note that the download URLs are now https with a certificate from Let's Encrypt. > > wget complained about > > ERROR: certificate common name `wiki.dovecot.org' doesn't match requested host name `dovecot.org'. > > and indeed, the certificate CN and download URL is mismatched. The nice thing > about Let's Encrypt is that it's easy to (re)generate the certitcate with SANs > to get rid of this mismatch. > > Browser didn't complain though. > > Joseph Tam <jtam.home at gmail.com>Despite what wget says the cert does have subject alternate name correctly specified. Try adding cacert dir or file option. I recall wget being "helpful" and reporting this for all cert errors if primary CN and requested name disagree. Aki
On Mon, 5 Dec 2016, Aki Tuomi wrote:>> >> wget complained about >> >> ERROR: certificate common name `wiki.dovecot.org' doesn't match requested host name `dovecot.org'. >> > > Despite what wget says the cert does have subject alternate name correctly specified.Ah, you're right, "wget" lied to me $ openssl s_client -connect dovecot.org:443 </dev/null 2>&1 | openssl x509 -noout -text | grep DNS: DNS:dovecot.org, DNS:hg.dovecot.org, DNS:imapwiki.org, DNS:master.wiki.dovecot.org, DNS:master.wiki1.dovecot.org, DNS:master.wiki2.dovecot.org, DNS:pigeonhole.dovecot.nl, DNS:pigeonhole.dovecot.org, DNS:wiki.dovecot.org, DNS:wiki1.dovecot.org, DNS:wiki2.dovecot.org, DNS:www.dovecot.org, DNS:www.imapwiki.org> Try adding cacert dir or file option. I recall wget being "helpful" > and reporting this for all cert errors if primary CN and requested name > disagree.The CN is supposed to be ignored in the presence of SANs. Looks like I need to update wget https://bugzilla.redhat.com/show_bug.cgi?id=903756 Thanks for setting me straight. Joseph Tam <jtam.home at gmail.com>