0

On my RedHat 8 system, wget fails with error below:

wget -v https://10.81.72.97/repo/packages/installer-5.1-1.x86_64.rpm
--2022-12-05 19:40:00--  https://10.81.72.97/repo/packages/installer-5.1-1.x86_64.rpm
Connecting to 10.81.72.97:443... connected.
The certificate's owner does not match hostname ‘10.81.72.97’

However I can see that this certificate exists in ca-bundle. It is a self-sign cert.

# openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs
subject=C = US, ST = California, L = Mountain View, O = ABC LLC, OU = ABC Solutions, CN = 10.81.72.97

issuer=C = US, ST = California, L = Mountain View, O = ABC LLC, OU = ABC Solutions, CN = 10.81.72.97

Where is wget looking for the cert? And why does it think : The certificate's owner does not match hostname?

Amol
  • 101
  • 2

1 Answers1

3

The problem is not a missing CA, the problem is the not matching hostname. Check the Subject Alternative Name fields of the certificate, these are the names the certificate is valid for. Use one of the SAN names instead of the IP address and it will be valid.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
  • Thanks @Gerald Schneider: how can I look at the Alternative Names field for this certificate? Also, in my question the certificate CN is matching with the IP address in the request, is it not sufficient for CN to match? – Amol Dec 06 '22 at 19:00
  • No, for a couple of years now it is required that the CN also exists as a SAN. How to check the SANs has been [answered elsewhere](https://stackoverflow.com/questions/13127352/how-to-check-subject-alternative-names-for-a-ssl-tls-certificate). – Gerald Schneider Dec 07 '22 at 06:07