No, not really. There's no case where an (unmodified) SME Server is going to serve different certs depending on the requested hostname--that would require SNI, which SME doesn't support out of the box. There's a bug open requesting that be added; I'm uncertain of the value of doing so, but in any case it isn't there now. SME serves a single cert on any https connection, irrespective of the requested hostname. You can verify this most easily on my site using Firefox--browse to the IP link I gave, Firefox will give you a warning, and let you view the cert. The cert you'll see is a Let's Encrypt cert.
No, the warning is given because the hostname requested (the IP address) doesn't appear on the cert.
Thanks Dan. I just got back and tested and indeed this is correct.
Go to the IP and you get a privacy error. Check the certificate and you can see that the certificate is a Letsencrypt cert and the browser throws the error as the cert is for a FQDN and not the IP.
The browser continues to complain, despite the connection being https.
It reports:
Certificate Error
There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
Secure TLS connection
The connection to this site is using a strong protocol version and cipher suite.
Secure Resources
All resources on this page are served securely.
So, yes the connection is secure, but the browser doesn't like it.
Possibly in the short term it may be easier to add a template fragment to redirect IP addresses to the FQDN is that is a concern for some ?
Inevitable StackOverflow:
http://stackoverflow.com/questions/11649944/apache-httpd-conf-for-redirecting-ip-to-hostname#11651783There are lots of pages on the subject.
53 Replies
10154 Views