I have multiple servers that share files via webDAV. The connections are secured with TLS and the same wild card certificate on all servers. I have different subdomains pointing to the respective servers. However I can't get davfs2 to accept my wild card certificates, it keeps complaining: /sbin/mount.davfs: the server certificate does not match the server name
So for example I have:
ServerA.mydomain.com ServerB.mydomain.com
all have certificate that covers *.mydomain.com and a SAN for mydomain.com
Everything works fine of course if I use mydomain.com for webDAV because that one is explicitly covered in the certificate.
I could add all my subdomains as SAN's to the certificate, but I can't keep reissuing certificates each time I put a machine up (or take one down).
So is there anyway to make davfs2 accept wildcard certificates?
The problem has in fact nothing to do with how webDAV handles wild cards, but everything to do with how X509 certificate extensions are handled.
As it turns out Subject Alternative Name is a misnomer, according to RFC 5280 (section 4.2) an application MUST reject any extensions it does not recognize if they are marked as critical (if they are marked as non-critical they MAY be ignored), but if an application recognizes an extension it MUST be used.
What this means is that when webDAV encounters a SubjectAltName it checks that and only that against the server name. The Common Name with my wild card in it is completely ignored. The Subject Alternative Name doesn't provide the alternative or additional names, it must provide ALL identifying names.
Thus put all the domain names including the wild card into the SAN.