[tech] secure.ucc certificate expiry
David Adam
zanchey at ucc.gu.uwa.edu.au
Wed Jun 3 08:55:34 AWST 2015
The TLS certificate for secure.ucc.asn.au (not *.ucc.asn.au) has expired
(on May 11, 2015). We use the wildcard cert pretty much everywhere -
HTTPS, IMAPS, SMTPS, RDP to Maaxen - but not the IPsec VPN, because
StrongSwan doesn't support wildcards. The domain used for the VPN needs to
be listed on the certificate as a subjectAltName, which on the wildcard
cert is 'ucc.asn.au' as well as '*.ucc.asn.au'.
At the moment I've changed the VPN to use 'ucc.asn.au' instead of
'secure.ucc.asn.au' (with appropriate firewall mangling), but I wonder if
we could look at getting a few defined subjectAltNames added to our
certificate. I don't think it's really worth renewing a separate
certificate just for IPsec. Who looks after the wildcard certificate?
Hopefully letsencrypt.org will get off the ground soon which will make
this sort of thing much easier.
Cheers
David Adam
zanchey@
[1]: https://wiki.strongswan.org/issues/794
More information about the tech
mailing list