SSL cert with round-robin

These are old archives. They are kept for historic purposes only.
Post Reply
CrazyCat
Posts: 127
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

SSL cert with round-robin

Post by CrazyCat »

Hello there, and sorry if it's not the good section.

I've a network accessible by irc.mynet.net, this is a dns round-robin sending users on serv1.mynet.net and serv2.mynet.net.
I made SSL certificates using irc.mynet.net AS CN, so I've different alerts:
- connecting irc.mynet.net, I get "Certificate has changed since last connection." if the RR send me to the second server (and previously I was on the first)
- connecting directly to serv1 or serv2, I get (with weechat) : gnutls: hostname does not match server name "serv1.mynet.net"

How can I correct this whithout paying for a subdomains certificate ?

Thanks by advance
katsklaw
Official supporter
Posts: 1124
Joined: Sun Apr 18, 2004 5:06 pm
Contact:

Re: SSL cert with round-robin

Post by katsklaw »

Each server has to have their own cert so the names match to prevent the latter error. The former error is likely just your client being confused by the RR. What i mean is your client thinks it's connecting to a server named irc.* but the server tells your client it's real name and gives the same cert but your client assigned that cert to the other server since last time you connected you were connected to it.
CrazyCat
Posts: 127
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

Re: SSL cert with round-robin

Post by CrazyCat »

Ok katsklaw, that is what I was thinking about.
I'll redo my certs and have tests with several clients. Btw, it's not a blocking error, I was just curious about it.
CrazyCat
Posts: 127
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

Re: SSL cert with round-robin

Post by CrazyCat »

Small reply after tests: I used *.mynet.net as CN, and whatever the client is, I just get an alert beacause the SSL is self-signed.
katsklaw
Official supporter
Posts: 1124
Joined: Sun Apr 18, 2004 5:06 pm
Contact:

Re: SSL cert with round-robin

Post by katsklaw »

I always use self signed certs. Rarely you get someone complain about it but i don't see spending money on certs for irc. Its easy enough to keep the certs valid and not worry about self signed but that's just me.
Post Reply