Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Cert auth issue where Server CN appears to match Hostname
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jeffrey Walton via curl-users <curl-users_at_lists.haxx.se>
Date: Thu, 3 Oct 2024 14:54:51 -0400
On Thu, Oct 3, 2024 at 2:26 PM Adam Retter via curl-users
<curl-users_at_lists.haxx.se> wrote:
>
> I have a Web Server that requires certificate authentication, and I am
> trying to connect to it using curl (version 7.81.0-1ubuntu1.18) and a
> client certificate.
> Unfortunately I am getting the following error from curl:
>
> curl: (60) SSL: no alternative certificate subject name matches target
> host name 'tekrar.lacuna.evolvedbinary.com'.
>
> The full curl command I am running is:
>
> curl -vv --cacert /etc/puppetlabs/puppetserver/ca/ca_crt.pem --cert
> /etc/puppetlabs/puppet/ssl/certs/tekrar.lacuna.evolvedbinary.com.pem
> --key /etc/puppetlabs/puppet/ssl/private_keys/tekrar.lacuna.evolvedbinary.com.pem
> https://tekrar.lacuna.evolvedbinary.com:8081
>
> The full output from curl looks like:
>
> * Trying 172.30.1.254:8081...
> * Connected to tekrar.lacuna.evolvedbinary.com (172.30.1.254) port 8081 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * CAfile: /etc/puppetlabs/puppetserver/ca/ca_crt.pem
> * CApath: /etc/ssl/certs
> * TLSv1.0 (OUT), TLS header, Certificate Status (22):
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS header, Finished (20):
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
> * TLSv1.3 (IN), TLS handshake, Request CERT (13):
> * TLSv1.3 (IN), TLS handshake, Certificate (11):
> * TLSv1.3 (IN), TLS handshake, CERT verify (15):
> * TLSv1.3 (IN), TLS handshake, Finished (20):
> * TLSv1.2 (OUT), TLS header, Finished (20):
> * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> * TLSv1.3 (OUT), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> * TLSv1.3 (OUT), TLS handshake, CERT verify (15):
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> * TLSv1.3 (OUT), TLS handshake, Finished (20):
> * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
> * ALPN, server did not agree to a protocol
> * Server certificate:
> * subject: C=GB; ST=Devon; L=Sampford Peverell; O=Evolved Binary;
> OU=SysOps; CN=tekrar.lacuna.evolvedbinary.com;
> emailAddress=sysops_at_evolvedbinary.com
> * start date: Jan 24 16:54:18 2024 GMT
> * expire date: Jan 23 16:54:18 2027 GMT
> * subjectAltName does not match tekrar.lacuna.evolvedbinary.com
> * SSL: no alternative certificate subject name matches target host
> name 'tekrar.lacuna.evolvedbinary.com'
> * Closing connection 0
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> * TLSv1.3 (OUT), TLS alert, close notify (256):
> curl: (60) SSL: no alternative certificate subject name matches target
> host name 'tekrar.lacuna.evolvedbinary.com'
> More details here: https://curl.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
>
> As far as I can see hostname matches the CN in the server certificate.
> So I am not sure why it is complaining about ALT names. Any ideas?
>
> I have access to the client, server, and cert files if you would like
> me to check anything?
Hostnames always go in the Subject Alt Name (SAN). The hostname in the
CN must also be present in the SAN. The hostname has to be listed
twice in this case. So get a new certificate issued for the host, and
ensure tekrar.lacuna.evolvedbinary.com is present in the SAN.
Public CA's used to issue a certificate with the domain name in the
CN, and the hostnames in the SAN. Nowadays the CN is NOT RECOMMENDED.
The rules for Public CA's can be found in the CA/Browser Forum
Baseline Requirements (BR),
<https://cabforum.org/working-groups/server/baseline-requirements/>.
The section of interest is 7.1.4.3, Subscriber Certificate Common Name
Attribute (p. 108).
My rule of thumb is, all hostnames go in the SAN. CN is displayed to
the user, so make it a friendly name, like "Evolved Binary Website" or
similar. I do not follow the CA/B BR NOT RECOMMENDED -- I still issue
with the CN on my networks.
Jeff
Date: Thu, 3 Oct 2024 14:54:51 -0400
On Thu, Oct 3, 2024 at 2:26 PM Adam Retter via curl-users
<curl-users_at_lists.haxx.se> wrote:
>
> I have a Web Server that requires certificate authentication, and I am
> trying to connect to it using curl (version 7.81.0-1ubuntu1.18) and a
> client certificate.
> Unfortunately I am getting the following error from curl:
>
> curl: (60) SSL: no alternative certificate subject name matches target
> host name 'tekrar.lacuna.evolvedbinary.com'.
>
> The full curl command I am running is:
>
> curl -vv --cacert /etc/puppetlabs/puppetserver/ca/ca_crt.pem --cert
> /etc/puppetlabs/puppet/ssl/certs/tekrar.lacuna.evolvedbinary.com.pem
> --key /etc/puppetlabs/puppet/ssl/private_keys/tekrar.lacuna.evolvedbinary.com.pem
> https://tekrar.lacuna.evolvedbinary.com:8081
>
> The full output from curl looks like:
>
> * Trying 172.30.1.254:8081...
> * Connected to tekrar.lacuna.evolvedbinary.com (172.30.1.254) port 8081 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * CAfile: /etc/puppetlabs/puppetserver/ca/ca_crt.pem
> * CApath: /etc/ssl/certs
> * TLSv1.0 (OUT), TLS header, Certificate Status (22):
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS header, Finished (20):
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
> * TLSv1.3 (IN), TLS handshake, Request CERT (13):
> * TLSv1.3 (IN), TLS handshake, Certificate (11):
> * TLSv1.3 (IN), TLS handshake, CERT verify (15):
> * TLSv1.3 (IN), TLS handshake, Finished (20):
> * TLSv1.2 (OUT), TLS header, Finished (20):
> * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> * TLSv1.3 (OUT), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> * TLSv1.3 (OUT), TLS handshake, CERT verify (15):
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> * TLSv1.3 (OUT), TLS handshake, Finished (20):
> * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
> * ALPN, server did not agree to a protocol
> * Server certificate:
> * subject: C=GB; ST=Devon; L=Sampford Peverell; O=Evolved Binary;
> OU=SysOps; CN=tekrar.lacuna.evolvedbinary.com;
> emailAddress=sysops_at_evolvedbinary.com
> * start date: Jan 24 16:54:18 2024 GMT
> * expire date: Jan 23 16:54:18 2027 GMT
> * subjectAltName does not match tekrar.lacuna.evolvedbinary.com
> * SSL: no alternative certificate subject name matches target host
> name 'tekrar.lacuna.evolvedbinary.com'
> * Closing connection 0
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> * TLSv1.3 (OUT), TLS alert, close notify (256):
> curl: (60) SSL: no alternative certificate subject name matches target
> host name 'tekrar.lacuna.evolvedbinary.com'
> More details here: https://curl.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
>
> As far as I can see hostname matches the CN in the server certificate.
> So I am not sure why it is complaining about ALT names. Any ideas?
>
> I have access to the client, server, and cert files if you would like
> me to check anything?
Hostnames always go in the Subject Alt Name (SAN). The hostname in the
CN must also be present in the SAN. The hostname has to be listed
twice in this case. So get a new certificate issued for the host, and
ensure tekrar.lacuna.evolvedbinary.com is present in the SAN.
Public CA's used to issue a certificate with the domain name in the
CN, and the hostnames in the SAN. Nowadays the CN is NOT RECOMMENDED.
The rules for Public CA's can be found in the CA/Browser Forum
Baseline Requirements (BR),
<https://cabforum.org/working-groups/server/baseline-requirements/>.
The section of interest is 7.1.4.3, Subscriber Certificate Common Name
Attribute (p. 108).
My rule of thumb is, all hostnames go in the SAN. CN is displayed to
the user, so make it a friendly name, like "Evolved Binary Website" or
similar. I do not follow the CA/B BR NOT RECOMMENDED -- I still issue
with the CN on my networks.
Jeff
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-10-03