3

My server provides WebDAV over HTTPS only, so that other machines can access the DAV. Say the certificate is issued for www.myserver.com and the WebDAV is at https://www.myserver.com/webdav.

For various reasons, I also want the server itself to mount this directory. Since there's no point using the actual URL and routing over the whole internet, I just take a shortcut:

mount https://localhost/webdav

But now I get a problem:

/sbin/mount.davfs: the server certificate does not match the server name

Which makes sense. As explained by the developer of davfs, the certificate I got is for www.myserver.com but it is presented by 127.0.0.1, so of course it doesn't match.

I want to auto-mount this volume at boot. Presumably that wouldn't work, since at every boot it would wait for someone to answer Y/N to accepting the certificate. How can I make davfs ignore this problem either for this URL or for this certificate?

Superbest
  • 487
  • 2
  • 5
  • 15
  • Are you in a situation where having the certificate re-issued is costly? (The certificate can contain Subject Alternate Names, which means it could also be valid for the name `localhost` and the IP `127.0.0.1`.) – Ulrich Schwarz Apr 21 '15 at 09:30
  • 1
    @UlrichSchwarz It's not costly at all (self-signed) but is it possible to have one certificate that is valid for both `localhost` *and* `www.myserver.com`? – Superbest Apr 21 '15 at 09:33
  • Just define it in your `fstab` and run mount command through terminal like `mount /mount/mydavmountpoint` and it would interactively ask if you want it to accept the invalid certificate, like `Accept certificate for this session? [y,N]` – zxcmehran Mar 21 '18 at 21:42

3 Answers3

1

You could work around that issue by editing the /etc/hosts file. Just change the line where localhost is defined to something like that:

127.0.0.1    www.myserver.com all_other_aliases localhost

The use ping to check it:

$ ping www.myserver.com
PING www.myserver.com (127.0.0.1) 56(84) bytes of data.
64 bytes from www.myserver.com (127.0.0.1): icmp_req=1 ttl=64 time=0.013 ms
...

Now, the name lookup for the certification check during mount should resolve correctly.

chaos
  • 47,463
  • 11
  • 118
  • 144
1

You can have multiple Hostnames and IPs in your certificate, these are called Subject Alternative Names. CACert recommends to always do this, even for one name.

Unfortunately, creating them is a bit more tricky and involves changing your openssl.conf on the fly. Cribbing together from my notes, generating your new certificate signing request goes along these lines:

openssl req -sha256 -key your-private-key.pem -out your-csr.pem \
        -subject "(your subject)" \
        -config <(/bin/cat /etc/pki/tls/openssl.cnf ./myhosts.cfg) \
        -reqexts hostnames

where myhosts.cfg has content like this:

[ hostnames ]
subjectAltName = \
  DNS:www.myserver.com,\
  DNS:localhost,\
  IP:127.0.0.1

The standard openssl config lives in /etc/pki/tls/openssl.cnf on RedHat/CentOs, and probably elsewhere on other distros. I've never actually done it for IPs, but OpenSSL docs suggest it should be possible.

If you ever want to switch to properly-signed certs, you may find that some CAs may refuse to issue certificates for private-subnet IPs.

Ulrich Schwarz
  • 15,669
  • 4
  • 47
  • 58
  • While chaos's solution is more KISS for my use case, I really appreciate learning about this alternative. – Superbest Apr 21 '15 at 13:08
0

I had the same problem. My solution was as simple as this:

echo y | mount -t davfs https://localhost/<URL details> <mount point>

Perhaps not pretty, but works as a charm (replace the code in <...> with your details). I then added this command to my /etc/rc.local (Ubuntu), and it is automatically mounted at every startup. Works without problems so far.

hasinasi
  • 1