Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Cert auth issue where Server CN appears to match Hostname
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Adam Retter via curl-users <curl-users_at_lists.haxx.se>
Date: Thu, 3 Oct 2024 22:03:55 +0200
Thanks so much Jeffrey, I was not aware that the putting the hostname
in the CN was no longer the recommended approach. I updated the server
cert as you described, and now all is working - thanks again.
On Thu, 3 Oct 2024 at 20:55, Jeffrey Walton <noloader_at_gmail.com> wrote:
>
> On Thu, Oct 3, 2024 at 2:26 PM Adam Retter via curl-users
> <curl-users_at_lists.haxx.se> wrote:
> >
> > I have a Web Server that requires certificate authentication, and I am
> > trying to connect to it using curl (version 7.81.0-1ubuntu1.18) and a
> > client certificate.
> > Unfortunately I am getting the following error from curl:
> >
> > curl: (60) SSL: no alternative certificate subject name matches target
> > host name 'tekrar.lacuna.evolvedbinary.com'.
> >
> > The full curl command I am running is:
> >
> > curl -vv --cacert /etc/puppetlabs/puppetserver/ca/ca_crt.pem --cert
> > /etc/puppetlabs/puppet/ssl/certs/tekrar.lacuna.evolvedbinary.com.pem
> > --key /etc/puppetlabs/puppet/ssl/private_keys/tekrar.lacuna.evolvedbinary.com.pem
> > https://tekrar.lacuna.evolvedbinary.com:8081
> >
> > The full output from curl looks like:
> >
> > * Trying 172.30.1.254:8081...
> > * Connected to tekrar.lacuna.evolvedbinary.com (172.30.1.254) port 8081 (#0)
> > * ALPN, offering h2
> > * ALPN, offering http/1.1
> > * CAfile: /etc/puppetlabs/puppetserver/ca/ca_crt.pem
> > * CApath: /etc/ssl/certs
> > * TLSv1.0 (OUT), TLS header, Certificate Status (22):
> > * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> > * TLSv1.2 (IN), TLS header, Certificate Status (22):
> > * TLSv1.3 (IN), TLS handshake, Server hello (2):
> > * TLSv1.2 (IN), TLS header, Finished (20):
> > * TLSv1.2 (IN), TLS header, Supplemental data (23):
> > * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
> > * TLSv1.3 (IN), TLS handshake, Request CERT (13):
> > * TLSv1.3 (IN), TLS handshake, Certificate (11):
> > * TLSv1.3 (IN), TLS handshake, CERT verify (15):
> > * TLSv1.3 (IN), TLS handshake, Finished (20):
> > * TLSv1.2 (OUT), TLS header, Finished (20):
> > * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
> > * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> > * TLSv1.3 (OUT), TLS handshake, Certificate (11):
> > * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> > * TLSv1.3 (OUT), TLS handshake, CERT verify (15):
> > * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> > * TLSv1.3 (OUT), TLS handshake, Finished (20):
> > * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
> > * ALPN, server did not agree to a protocol
> > * Server certificate:
> > * subject: C=GB; ST=Devon; L=Sampford Peverell; O=Evolved Binary;
> > OU=SysOps; CN=tekrar.lacuna.evolvedbinary.com;
> > emailAddress=sysops_at_evolvedbinary.com
> > * start date: Jan 24 16:54:18 2024 GMT
> > * expire date: Jan 23 16:54:18 2027 GMT
> > * subjectAltName does not match tekrar.lacuna.evolvedbinary.com
> > * SSL: no alternative certificate subject name matches target host
> > name 'tekrar.lacuna.evolvedbinary.com'
> > * Closing connection 0
> > * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> > * TLSv1.3 (OUT), TLS alert, close notify (256):
> > curl: (60) SSL: no alternative certificate subject name matches target
> > host name 'tekrar.lacuna.evolvedbinary.com'
> > More details here: https://curl.se/docs/sslcerts.html
> >
> > curl failed to verify the legitimacy of the server and therefore could not
> > establish a secure connection to it. To learn more about this situation and
> > how to fix it, please visit the web page mentioned above.
> >
> > As far as I can see hostname matches the CN in the server certificate.
> > So I am not sure why it is complaining about ALT names. Any ideas?
> >
> > I have access to the client, server, and cert files if you would like
> > me to check anything?
>
> Hostnames always go in the Subject Alt Name (SAN). The hostname in the
> CN must also be present in the SAN. The hostname has to be listed
> twice in this case. So get a new certificate issued for the host, and
> ensure tekrar.lacuna.evolvedbinary.com is present in the SAN.
>
> Public CA's used to issue a certificate with the domain name in the
> CN, and the hostnames in the SAN. Nowadays the CN is NOT RECOMMENDED.
> The rules for Public CA's can be found in the CA/Browser Forum
> Baseline Requirements (BR),
> <https://cabforum.org/working-groups/server/baseline-requirements/>.
> The section of interest is 7.1.4.3, Subscriber Certificate Common Name
> Attribute (p. 108).
>
> My rule of thumb is, all hostnames go in the SAN. CN is displayed to
> the user, so make it a friendly name, like "Evolved Binary Website" or
> similar. I do not follow the CA/B BR NOT RECOMMENDED -- I still issue
> with the CN on my networks.
>
> Jeff
Date: Thu, 3 Oct 2024 22:03:55 +0200
Thanks so much Jeffrey, I was not aware that the putting the hostname
in the CN was no longer the recommended approach. I updated the server
cert as you described, and now all is working - thanks again.
On Thu, 3 Oct 2024 at 20:55, Jeffrey Walton <noloader_at_gmail.com> wrote:
>
> On Thu, Oct 3, 2024 at 2:26 PM Adam Retter via curl-users
> <curl-users_at_lists.haxx.se> wrote:
> >
> > I have a Web Server that requires certificate authentication, and I am
> > trying to connect to it using curl (version 7.81.0-1ubuntu1.18) and a
> > client certificate.
> > Unfortunately I am getting the following error from curl:
> >
> > curl: (60) SSL: no alternative certificate subject name matches target
> > host name 'tekrar.lacuna.evolvedbinary.com'.
> >
> > The full curl command I am running is:
> >
> > curl -vv --cacert /etc/puppetlabs/puppetserver/ca/ca_crt.pem --cert
> > /etc/puppetlabs/puppet/ssl/certs/tekrar.lacuna.evolvedbinary.com.pem
> > --key /etc/puppetlabs/puppet/ssl/private_keys/tekrar.lacuna.evolvedbinary.com.pem
> > https://tekrar.lacuna.evolvedbinary.com:8081
> >
> > The full output from curl looks like:
> >
> > * Trying 172.30.1.254:8081...
> > * Connected to tekrar.lacuna.evolvedbinary.com (172.30.1.254) port 8081 (#0)
> > * ALPN, offering h2
> > * ALPN, offering http/1.1
> > * CAfile: /etc/puppetlabs/puppetserver/ca/ca_crt.pem
> > * CApath: /etc/ssl/certs
> > * TLSv1.0 (OUT), TLS header, Certificate Status (22):
> > * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> > * TLSv1.2 (IN), TLS header, Certificate Status (22):
> > * TLSv1.3 (IN), TLS handshake, Server hello (2):
> > * TLSv1.2 (IN), TLS header, Finished (20):
> > * TLSv1.2 (IN), TLS header, Supplemental data (23):
> > * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
> > * TLSv1.3 (IN), TLS handshake, Request CERT (13):
> > * TLSv1.3 (IN), TLS handshake, Certificate (11):
> > * TLSv1.3 (IN), TLS handshake, CERT verify (15):
> > * TLSv1.3 (IN), TLS handshake, Finished (20):
> > * TLSv1.2 (OUT), TLS header, Finished (20):
> > * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
> > * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> > * TLSv1.3 (OUT), TLS handshake, Certificate (11):
> > * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> > * TLSv1.3 (OUT), TLS handshake, CERT verify (15):
> > * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> > * TLSv1.3 (OUT), TLS handshake, Finished (20):
> > * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
> > * ALPN, server did not agree to a protocol
> > * Server certificate:
> > * subject: C=GB; ST=Devon; L=Sampford Peverell; O=Evolved Binary;
> > OU=SysOps; CN=tekrar.lacuna.evolvedbinary.com;
> > emailAddress=sysops_at_evolvedbinary.com
> > * start date: Jan 24 16:54:18 2024 GMT
> > * expire date: Jan 23 16:54:18 2027 GMT
> > * subjectAltName does not match tekrar.lacuna.evolvedbinary.com
> > * SSL: no alternative certificate subject name matches target host
> > name 'tekrar.lacuna.evolvedbinary.com'
> > * Closing connection 0
> > * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> > * TLSv1.3 (OUT), TLS alert, close notify (256):
> > curl: (60) SSL: no alternative certificate subject name matches target
> > host name 'tekrar.lacuna.evolvedbinary.com'
> > More details here: https://curl.se/docs/sslcerts.html
> >
> > curl failed to verify the legitimacy of the server and therefore could not
> > establish a secure connection to it. To learn more about this situation and
> > how to fix it, please visit the web page mentioned above.
> >
> > As far as I can see hostname matches the CN in the server certificate.
> > So I am not sure why it is complaining about ALT names. Any ideas?
> >
> > I have access to the client, server, and cert files if you would like
> > me to check anything?
>
> Hostnames always go in the Subject Alt Name (SAN). The hostname in the
> CN must also be present in the SAN. The hostname has to be listed
> twice in this case. So get a new certificate issued for the host, and
> ensure tekrar.lacuna.evolvedbinary.com is present in the SAN.
>
> Public CA's used to issue a certificate with the domain name in the
> CN, and the hostnames in the SAN. Nowadays the CN is NOT RECOMMENDED.
> The rules for Public CA's can be found in the CA/Browser Forum
> Baseline Requirements (BR),
> <https://cabforum.org/working-groups/server/baseline-requirements/>.
> The section of interest is 7.1.4.3, Subscriber Certificate Common Name
> Attribute (p. 108).
>
> My rule of thumb is, all hostnames go in the SAN. CN is displayed to
> the user, so make it a friendly name, like "Evolved Binary Website" or
> similar. I do not follow the CA/B BR NOT RECOMMENDED -- I still issue
> with the CN on my networks.
>
> Jeff
-- Adam Retter skype: adam.retter tweet: adamretter http://www.adamretter.org.uk -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-10-03