0

I am developing a web server for a local device. The device will be accessed locally and not from outside using local ip address. I generated a certificate using openssl with CN=* in order to avoidethe hostname check.

But this return another error:

requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.17.31', port=443): Max retries exceeded with url: /lua/device (Caused by SSLError(SSLCertVerificationError("sole wildcard without additional labels are not support: '*'.")))

my computer does not know the hostname of the device. but it know the ip address. and I want that the cert validation made automatically and not manually using public key from my computer

How to make a certificate that does not generate error in the hostname check ?

MOHAMED
  • 151
  • 7
  • Generating a certificate is most likely fine, you probably already did. The question is if it is valid and if you can use it. Even matching on IP can be hard (not allowed in SNI). – NiKiZe Dec 24 '21 at 13:14
  • Note there are two parts to cert validation: (1) is it signed by a trusted CA (and not modified), and not out-of-validity or revoked? (2) does the host's certified identity (in SAN if present else CN) match the name in the requested URL? Only (1) uses root-CA public keys stored on your machine; (2) uses the name in the URL. – dave_thompson_085 Dec 25 '21 at 00:25

1 Answers1

1

You can issue a certificate for the known IP using Subject Alternative Name (SAN).

AlexD
  • 8,747
  • 2
  • 29
  • 38
  • However, remember that SNI does not allow match on IP. So might cause issues. – NiKiZe Dec 24 '21 at 13:05
  • 1
    @NiKiZe when a site is accessed with an IP like `https://1.1.1.1/` then SNI isn't initiated at all. – AlexD Dec 24 '21 at 14:04
  • Using SAN is better practice, but most clients other than Chrome(ium?) -- including python requests -- accept the 'traditional' IPaddr-in-CN also. – dave_thompson_085 Dec 25 '21 at 00:21