On Mon, 2023-05-01 at 23:21 +0100, Patrick O'Callaghan wrote: > My small web server appears to be working and even has https, however > I've noticed this in /var/log/httpd/ssl_error_log: > > [...] AH01909: bree.org.uk:443:0 server certificate does NOT include an ID > which matches the server name > > The ServerName is set to bree.org.uk, and that's the name under which I > obtained the certificate, so I'm not sure what's going on here.
Since the site isn't loading at the moment, I can't look at things. But... It's typical to make sure that domain name and any subdomains you might use, or other people might use, are included. In your case, that'd be bree.org.uk and www.bree.org.uk. Whether or not you intend to use the www subdomain, other people might do it automatically. It's as well to prepare for it. And you may want to include mail servers, if you'll use the same certificate with them (now, or in the future). Some people do a wildcard (e.g. *.bree.org.uk). It could be a bit of future proofing. But if you're in the position of regularly updating your certificate, you can just add things as you want to. A problem with SSL used to be (and can still be with some things), is that while you could have a multitude of different HTTP servers at the same IP address (the browser connecting would include the desired websites's *name* in the request, the server would look at that and serve you the correct website), that *wasn't* possible with HTTPS but *now* is. The more recent addition of SNI into the HTTPS connection allowed that requested site's name to go into the request when you connect to the IP. Because it's a newer scheme, it could fail with older things, but I think we should be well past that era, by now. Other issues such as reverse DNS lookups matching the forward DNS lookups are probably less of an issue than it used to be. With the advent of virtual hosts, rather than every site having its own IP, it became an impossible requirement. Though I still have that with mail server on my host. When I fetch my mail, I have to ignore that the host's certificate is inappropriate for my email's domain name. -- uname -rsvp Linux 3.10.0-1160.88.1.el7.x86_64 #1 SMP Tue Mar 7 15:41:52 UTC 2023 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
