(Sorry for the late reply, have been busy.)

onefang wrote on 07.11.19 14:40:
> On Thu, 7 Nov 2019 00:26:28 +1000 onefang said :
>> On Wed, 6 Nov 2019 15:16:45 +0100 Irrwahn said :
[SNIP]
>>> [***] [ssl:error] [pid ***] AH02032: Hostname 95.216.15.86 provided
>>> via SNI and hostname devuan.packet-gain.de provided via HTTP have no
>>> compatible SSL setup
>
> Have you been getting a bunch of those messages once an hour from my
> sledjhamr.org server?

Yep. It stopped once I removed the bogus vhost config. After some
pondering I'm now afraid that your tests may now pass more or less
accidentally, as by pure coincidence the devuan mirror vhost has
become the first config to be included. Sure, there is an easy way
to make that permanent, but that would still be just papering over
the underlying issue.

[SNIP]
> I managed to attend the meeting, and we decided that I'll be setting up
> apt-panopticon to regularly do tests (once I have more of the tests
> working properly), and reporting the results officially. There will
> eventually be graphs and alerts.

Good news.

[SNIP]> The language chosen is Lua. So lua-socket was used to provide the
> HTTP / HTTPS / FTP / EMAIL functions. Lua-socket is commonly used for
> these things in Lua scripts.
[SNIP]
> The latest version of lua-socket that isn't available for ASCII, not
> even in backports, properly supported HTTPS. Lua-sec is essentially a
> wrapper around lua-socket that does support HTTPS, so I now use both.
> They are both a few versions behind, and there are several fixes for
> the SSL parts of lua-sec.

Uh, is Lua really the right choice then? Just a thought, as I haven't
dug into what other frameworks offer in this regard (Python, Go, ...).
Sorry I can't be of much help here. (FWIW, presented with the task I
probably would've coded in C, but that'd be just me having fun shooting
my own foot. ;-P)

> Your fix allowed this all to work with your server, so todays testing
> couldn't use your server, but since mirror.stinpriza.org is still
> showing the same issue (even if it's for different reasons), I could at
> least test against that. Performing similar tests with curl and wget
> fail unless I told them not to check the certificates.

Not really surprising, as the numeric address does not match the domain
name the certificate was issued for.

> So switching to using curl or wget to do those tests might not help.
> There is a lua-curl, though it's hard to tell which of several
> different things with that or similar name it actually is without
> digging deep.
>
> One thing I should do is to check what apt-transport-https actually
> does in this situation.

Good plan. Naively I would have thought it'd simply fail, as I never
expect a hostname mismatch in an HTTPS request to just work without
taking special care, like correctly setting up the SNI server_name
parameter for the TLS negotiation, however this is usually one - my
knowledge is quite limited in this area.

> I have various options to investigate. Today it got to 33 C, and
> tomorrow it'll hit 37 C, though it'll cool down to merely 30 C the next
> day. I have no air conditioning. I may not get much work done for a
> while.

It's a chilly 9°C here, now I'd like to trade places for a day. ;-D

--
Sapere aude!