On Mon, 5 Dec 2016, Aki Tuomi wrote:
wget complained about
ERROR: certificate common name `wiki.dovecot.org' doesn't match
requested host name `dovecot.org'.
Despite what wget says the cert does have subject alternate name correctly
specified.
Ah, you're right, "wget" lied to me
$ openssl s_client -connect dovecot.org:443 </dev/null 2>&1 | openssl
x509 -noout -text | grep DNS:
DNS:dovecot.org, DNS:hg.dovecot.org, DNS:imapwiki.org,
DNS:master.wiki.dovecot.org, DNS:master.wiki1.dovecot.org,
DNS:master.wiki2.dovecot.org, DNS:pigeonhole.dovecot.nl,
DNS:pigeonhole.dovecot.org, DNS:wiki.dovecot.org, DNS:wiki1.dovecot.org,
DNS:wiki2.dovecot.org, DNS:www.dovecot.org, DNS:www.imapwiki.org
Try adding cacert dir or file option. I recall wget being "helpful"
and reporting this for all cert errors if primary CN and requested name
disagree.
The CN is supposed to be ignored in the presence of SANs. Looks like
I need to update wget
https://bugzilla.redhat.com/show_bug.cgi?id=903756
Thanks for setting me straight.
Joseph Tam <jtam.h...@gmail.com>
