0

I have a certificate for *.mydomain, and trying to reach the host with https://my-host.mydomain .

Here's the verbose output (scrambled a bit).

curl https://my-host.mydomain --verbose
* Rebuilt URL to: https://my-host.mydomain/
*   Trying 10.0.128.43...
* Connected to my-host.mydomain (10.0.128.43) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*   subject: CN=*.mydomain,OU=MyDomain,O=MyCompany,ST=AZ,C=US
*   start date: Nov 09 01:39:29 2016 GMT
*   expire date: Nov 09 01:39:29 2017 GMT
*   common name: *.mydomain
*   issuer: CN=my.other.domain.com,OU=MyDomain,O=MyCompany,ST=AZ,C=US
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* Closing connection 0
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

I've seen several cases, when people would complain about *.bla not matching bla, but that is not my case.

I only have wild and nonsensical guesses:

  • can it have something to do with the issuer being in a completely separate domain?
  • maybe I am not allowed to issue level 2 wildcards? (e.g. *.a.b is ok, but *.b is not)

The certificate, obtained the same way for *.other.domain.com works fine.

jww
  • 97,681
  • 90
  • 411
  • 885
LOST
  • 2,956
  • 3
  • 25
  • 40
  • I've just tried to issue the certificate to my-host.domain rather than to *.domain, and it works. Still need to solve the original problem though. – LOST Nov 09 '16 at 19:57
  • 1
    Please post the exact URL you are using to connect to the server, and post the output of `openssl s_client -connect : -tls1 -servername | openssl x509 -text -noout`. Do so by adding it to your question by clicking *Edit*, and don't post it as a comment. You can find the *Edit* link in the bottom left hand corner of the question. Otherwise, we can't reproduce it and there's not enough information to help troubleshoot it. – jww Nov 09 '16 at 22:16
  • I'm not sure what to make of this: `my-host.mydomain`. Are you trying to say its fake information? If so, then use `example.com`. IANA reserves the domain for the purpose. This looks broke... how is a end-entity server issuing certificates? `issuer: CN=my.other.domain.com, OU=MyDomain, O=MyCompany, ST=AZ, C=US` – jww Nov 09 '16 at 22:17
  • I think you may ned this before you go any further down a rabbit hole: [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) – jww Nov 09 '16 at 22:21

0 Answers0