0

When I do curl https://10.184.96.62:3000/status, server sends back json data. All good.

Using the below golang code, the application prints :

2019/05/21 18:29:15 Get https://10.184.96.62:3000/status: x509: cannot validate certificate for 10.184.96.62 because it doesn't contain any IP SANs

package main

import (
        "log"
        "net/http"
)

func main() {
        _, err := http.Get("https://10.184.96.62:3000/status")
        if err != nil {
                log.Fatal(err)
        }
}

What am I missing?

Matteo
  • 37,680
  • 11
  • 100
  • 115
iam thadiyan
  • 471
  • 1
  • 4
  • 19
  • do you have already see this https://stackoverflow.com/a/12122718/2270041 ? – Matteo May 21 '19 at 13:12
  • 1
    How is curl validating the cert? – JimB May 21 '19 at 13:17
  • @Matteo yes, I have. But that is disabling certificate. I want with certificate. – iam thadiyan May 21 '19 at 13:25
  • @JimB I don't know that. I installed certificate on ` /usr/local/share/ca-certificates/` . I am sorry if I missed something obvious. – iam thadiyan May 21 '19 at 13:26
  • You could try [Step 3 - Supply the Certificates to the Client](https://venilnoronha.io/a-step-by-step-guide-to-mtls-in-go) as described in the article – Matteo May 21 '19 at 13:32
  • @iamthadiyan: have you run `update-ca-certificates`? If it's already included in the root certs then the cert isn't correct. Are you certain you created it with IP SANs? – JimB May 21 '19 at 13:39
  • @JimB Yes, I have done that. That is the reason why `curl` is succeeding. – iam thadiyan May 21 '19 at 14:33
  • @iamthadiyan, Does `curl -v` give any information on how the cert is accepted? I was thinking it might be accepting an IP in the CN rather than the SAN. – JimB May 21 '19 at 14:40
  • @JimB Here is the verbose from curl. `$ curl -vvvv https://10.184.96.62:3000/status * Trying 10.184.96.62... * Connected to 10.184.96.62 (10.184.96.62) port 3000 (#0) * found 150 certificates in /etc/ssl/certs/ca-certificates.crt * found 605 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 ` – iam thadiyan May 22 '19 at 01:52
  • `* server certificate verification OK * server certificate status verification SKIPPED * common name: 10.184.96.62 (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: C=AU,ST=State,L=Locaton,O=Org,OU=Unit,CN=10.184.96.62 * start date: Tue, 21 May 2019 11:13:49 GMT ` – iam thadiyan May 22 '19 at 01:53
  • `* expire date: Thu, 27 Apr 2119 11:13:49 GMT * issuer: C=AU,ST=State,L=Locaton,O=Org,OU=Unit,CN=10.184.96.62 * compression: NULL * ALPN, server accepted to use http/1.1 > GET /status HTTP/1.1 > Host: 10.184.96.62:3000 > User-Agent: curl/7.47.0 > Accept: */* > ` – iam thadiyan May 22 '19 at 01:53
  • So it looks like you have the IP in the CN, which isn’t technically valid but curl seems to allow it. Use a SAN as previously mentioned – JimB May 22 '19 at 02:03

2 Answers2

3

The problem that the error message indicates is specific to the combination of HTTPS with IP addresses: usually a SSL certificate uses the hostname to check the authenticity of the server. In your case there is no hostname, but a IP address instead. There are two possible solutions to your problem:

  1. Use a hostname instead of the IP address and put that hostname into your certificate.
  2. Put the IP address you want to use into the subjectAltNames ("Subject Alternative Names" - SAN) field of your certificate (see RFC 5280).
Community
  • 1
  • 1
ftl
  • 3,014
  • 1
  • 24
  • 25
  • I created a self-signed certificate using openssl. Since curl is able to use the certificate, I am guessing I did that correctly. – iam thadiyan May 22 '19 at 01:27
0

The problem was with the certificate I generated. I used openssl to create a self-signed certificate. As I shared, curl was able to use it to establish connection with the server. But not the go application.

In some forum I saw a comment that said that getting openssl to work in this scenario is tricky. So I used this go code to generate the certificate. Using this certificate, go app was also able to make the request with out making any change to the source code I shared in my question.

Hope this helps some one in need.

iam thadiyan
  • 471
  • 1
  • 4
  • 19