Reputation: 175
SSL: unable to obtain common name from peer certificate
Sorry, My mistake, there's two things must be highlighted:
The CA cert Common Name must not same to the server/client side cert
The server/client side cert's common name must be same
I'm trying to using self-signed certificate for HTTPS Client side certificate. But, there's a problem " SSL: unable to obtain common name from peer certificate "
As you can see, the server side cert contains Common Name, why this problem occurs?
Here's curl output:
- About to connect() to 127.0.0.1 port 443 (#0)
- Trying 127.0.0.1... connected Enter PEM pass phrase:
- successfully set certificate verify locations:
- CAfile: /home/freeman/dev/git/ca_tools/ca_tools/ssl/CA/secure_ca.crt CApath: /etc/ssl/certs
- SSLv3, TLS handshake, Client hello (1):
- SSLv3, TLS handshake, Server hello (2):
- SSLv3, TLS handshake, CERT (11):
- SSLv3, TLS handshake, Server key exchange (12):
- SSLv3, TLS handshake, Request CERT (13):
- SSLv3, TLS handshake, Server finished (14):
- SSLv3, TLS handshake, CERT (11):
- SSLv3, TLS handshake, Client key exchange (16):
- SSLv3, TLS handshake, CERT verify (15):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSL connection using ECDHE-RSA-AES256-SHA
- Server certificate:
- subject: C=CN; ST=Beijing; L=Beijing; O=XiaoMi
- start date: 2014-05-14 12:50:20 GMT
- expire date: 2024-05-11 12:50:20 GMT
- SSL: unable to obtain common name from peer certificate
- Closing connection #0
- SSLv3, TLS alert, Client hello (1):
Here's
#openssl x509 -in server.crt -text -noout
Certificate: Data: Version: 1 (0x0) Serial Number: 15298562268347408844 (0xd44f6953eb0aa1cc) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=Beijing, L=Beijing, O=OKK, OU=Test, CN=MyComp Validity :
Upvotes: 4
Views: 18579
Answers (4)
Reputation: 121
I think this is answered well by Mark, to add on, for local testing purpose in a self signed certificate, you should use the hostname you'll be querying from as your "Common Name".
I wrote an example on how to setup and query an outsourced https server https://github.com/kidrahahjo/whoami-example
I hope this helps
Upvotes: 0
Reputation: 2608
The subject details from server cert from peer is :
subject: C=CN; ST=Beijing; L=Beijing; O=XiaoMi
The Issuer subject details is :
C=CN, ST=Beijing, L=Beijing, O=OKK, OU=Test, CN=MyComp Validity
Clearly the two are different (in case there was supposed to be any link attempted), since that is what I understood from the question.
In any case as seen in the curl error, the common-name attribute is missing. This could likely be due to that the certificate that was presented never contained it.
Suggest you try opening the certificate from a browser and verify.
Upvotes: 2
Reputation: 1174
Without knowing the data used to generate the CSR, it looks like the last component of your DN does not contain a CN attribute with the target host name. Typically SSL library clients will only check the first component for the CN attribute equal to the target host name. I would reverse the DN order and add a CN attribute with the host name.
If you provide more details on how you generated the CSR I would be happy to help you figure out how to fix it.
Upvotes: 6
Related Questions
- curl:(51) : SSL certificate subject name does not match target host name
- curl: (60) Peer's Certificate issuer is not recognized
- curl --cacert error "curl: (60) SSL: no alternative certificate subject name matches target host name"
- Curl: Fix CURL (51) SSL error: no alternative certificate subject name matches
- SSL certificate problem with cURL - sslcerts
- Getting error in Curl - Peer certificate cannot be authenticated with known CA certificates
- Curl is not sending client certificate
- Curl says "requested domain name does not match the server's certificate," but it appears to match
- SSL certificate error
- SSL Certificate issue: CN entry doesn't match with hostname in URL