Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Cert auth issue where Server CN appears to match Hostname
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Adam Retter via curl-users <curl-users_at_lists.haxx.se>
Date: Thu, 3 Oct 2024 20:24:35 +0200
I have a Web Server that requires certificate authentication, and I am
trying to connect to it using curl (version 7.81.0-1ubuntu1.18) and a
client certificate.
Unfortunately I am getting the following error from curl:
curl: (60) SSL: no alternative certificate subject name matches target
host name 'tekrar.lacuna.evolvedbinary.com'.
The full curl command I am running is:
curl -vv --cacert /etc/puppetlabs/puppetserver/ca/ca_crt.pem --cert
/etc/puppetlabs/puppet/ssl/certs/tekrar.lacuna.evolvedbinary.com.pem
--key /etc/puppetlabs/puppet/ssl/private_keys/tekrar.lacuna.evolvedbinary.com.pem
https://tekrar.lacuna.evolvedbinary.com:8081
The full output from curl looks like:
* Trying 172.30.1.254:8081...
* Connected to tekrar.lacuna.evolvedbinary.com (172.30.1.254) port 8081 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/puppetlabs/puppetserver/ca/ca_crt.pem
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=GB; ST=Devon; L=Sampford Peverell; O=Evolved Binary;
OU=SysOps; CN=tekrar.lacuna.evolvedbinary.com;
emailAddress=sysops_at_evolvedbinary.com
* start date: Jan 24 16:54:18 2024 GMT
* expire date: Jan 23 16:54:18 2027 GMT
* subjectAltName does not match tekrar.lacuna.evolvedbinary.com
* SSL: no alternative certificate subject name matches target host
name 'tekrar.lacuna.evolvedbinary.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target
host name 'tekrar.lacuna.evolvedbinary.com'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
As far as I can see hostname matches the CN in the server certificate.
So I am not sure why it is complaining about ALT names. Any ideas?
I have access to the client, server, and cert files if you would like
me to check anything?
Thanks, Adam.
Date: Thu, 3 Oct 2024 20:24:35 +0200
I have a Web Server that requires certificate authentication, and I am
trying to connect to it using curl (version 7.81.0-1ubuntu1.18) and a
client certificate.
Unfortunately I am getting the following error from curl:
curl: (60) SSL: no alternative certificate subject name matches target
host name 'tekrar.lacuna.evolvedbinary.com'.
The full curl command I am running is:
curl -vv --cacert /etc/puppetlabs/puppetserver/ca/ca_crt.pem --cert
/etc/puppetlabs/puppet/ssl/certs/tekrar.lacuna.evolvedbinary.com.pem
--key /etc/puppetlabs/puppet/ssl/private_keys/tekrar.lacuna.evolvedbinary.com.pem
https://tekrar.lacuna.evolvedbinary.com:8081
The full output from curl looks like:
* Trying 172.30.1.254:8081...
* Connected to tekrar.lacuna.evolvedbinary.com (172.30.1.254) port 8081 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/puppetlabs/puppetserver/ca/ca_crt.pem
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=GB; ST=Devon; L=Sampford Peverell; O=Evolved Binary;
OU=SysOps; CN=tekrar.lacuna.evolvedbinary.com;
emailAddress=sysops_at_evolvedbinary.com
* start date: Jan 24 16:54:18 2024 GMT
* expire date: Jan 23 16:54:18 2027 GMT
* subjectAltName does not match tekrar.lacuna.evolvedbinary.com
* SSL: no alternative certificate subject name matches target host
name 'tekrar.lacuna.evolvedbinary.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target
host name 'tekrar.lacuna.evolvedbinary.com'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
As far as I can see hostname matches the CN in the server certificate.
So I am not sure why it is complaining about ALT names. Any ideas?
I have access to the client, server, and cert files if you would like
me to check anything?
Thanks, Adam.
-- Adam Retter skype: adam.retter tweet: adamretter http://www.adamretter.org.uk -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-10-03