Reputation: 1817
curl --cacert error "curl: (60) SSL: no alternative certificate subject name matches target host name"
curl: (60) SSL: no alternative certificate subject name matches target host name
I don't understand this error. If I supply a CA certificate (with --cacert option), it doesn't even have a subject alternative name. And if it had one, it wouldn't match the target host name (my server) for sure.
If I, on the other hand, supply my server certificate, signed with the CA, it says: SSL certificate problem: unable to get local issuer certificate. (That I would expect, because my computer does not trust the CA by default and that's correct.)
When combining the PEM certificates in one file, I get the same errors.
Using option --capath set to the directory with both server and CA certificates it says: curl: (60) SSL certificate problem: unable to get local issuer certificate again.
How do I make the trust check work?
(It worked when using a single self-signed server certificate.)
Upvotes: 4
Views: 27833
Answers (2)
Reputation: 38821
There are two different and nearly unrelated things here.
For curl using OpenSSL, as yours is, the root cert (normally a CA) must be in the file specified by --cacert, OR alternatively in the --capath directory using special filenames that consist of an 8-hexit truncated hash of the canonicalized subject name plus dot and zero (or a small number if collision), OR in the defaults for either if not specified; unless (at least) one of these is present you get the 'unable to get local issuer' error;
AND, the server certificate sent by the server (which normally is NOT the CA cert) must contain, in SubjectAltName (SAN) extension if present and otherwise in Subject.CommonName (CN), a hostname that matches the hostname in the URL you try to access. If the server cert contains SAN extension but no entry in that extension matches the URL, you get the error in your title; see e.g. Curl: Fix CURL (51) SSL error: no alternative certificate subject name matches
A self-signed server cert varies from the usual case because it acts as both the root cert and the server cert, so it must BOTH be in --cacert or --capath or their defaults (even though properly speaking it isn't a CA) AND contain SAN (or in its absence CN) that matches the URL.
PS: if you can't determine for certain what cert the server is sending (perhaps because the config is complicated, or not certain if it has been restarted or refreshed), use
openssl s_client -connect $host:$port -servername $host 2>&1 | openssl x509 -noout -text
# if OpenSSL version 1.1.1 you can omit -servername $host
Upvotes: 3
Related Questions
- curl:(51) : SSL certificate subject name does not match target host name
- Curl: Fix CURL (51) SSL error: no alternative certificate subject name matches
- Using curl with --cert
- SSL certificate problem with cURL - sslcerts
- curl error 35 : unknown SSL protocol error in connection
- Curl says "requested domain name does not match the server's certificate," but it appears to match
- Curl certificate verification failed
- SSL certificate error
- Curl error "no alternative certificate.."
- curl SSL certificate error: verifcation failed