on my server i have multiple virtual hosts with apache2. Some with domain *.example-one.org and some whith *.example-two.org. Each domain has it’s own wildcard certificate.
When I fetch the certificate via
openssl s_clientthe output is something like that:$ openssl s_client -connect sub.example-one.org:443 CONNECTED(00000003) [...] CN = *.example-two.org, emailAddress [...] verify error:num=18:self signed certificate verify return:1 [...] CN = *.example-two.org, emailAddress [...] verify return:1 --- [...] Verify return code: 18 (self signed certificate) ---And with
gnutls-cli$ gnutls-cli -p 443 sub.example-one.org Processed 164 CA certificate(s). Resolving 'sub.example-one.org'... Connecting to '14x.xxx.xxx.xxx:443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `[...]CN=*.example-one.org[...]', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-07-11 12:30:31 UTC', expires `2015-07-11 12:30:31 UTC', SHA-1 fingerprint `94ddfd0d74e0352521af511c1d08c71e5314fae4' [...] - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** Verifying server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate.(I’ve shorted the output by “[…]”)
Firefox fetches (as gnutls) the correct certificate…
Why are there differences?
Answer
If you use multiple certificates behind the same IP address you have to use SNI (server name indication). While browsers do this by default and gnutls maybe too, the s_client does not and you have to use openssl s_client -servername sub.example.org -connect ...
Attribution
Source : Link , Question Author : Nepomuk Frädrich , Answer Author : shastry
