4

curl: (60) SSL: no alternative certificate subject name matches target host name

I don't understand this error. If I supply a CA certificate (with --cacert option), it doesn't even have a subject alternative name. And if it had one, it wouldn't match the target host name (my server) for sure.

If I, on the other hand, supply my server certificate, signed with the CA, it says: SSL certificate problem: unable to get local issuer certificate. (That I would expect, because my computer does not trust the CA by default and that's correct.)

When combining the PEM certificates in one file, I get the same errors.

Using option --capath set to the directory with both server and CA certificates it says: curl: (60) SSL certificate problem: unable to get local issuer certificate again.

How do I make the trust check work?

(It worked when using a single self-signed server certificate.)

mernst
  • 7,437
  • 30
  • 45
Adam
  • 1,724
  • 4
  • 21
  • 31
  • There's one edge case the error message does make sense: when using a self-signed certificate. That works (that was my previous setup) and I didn't see any errors that time – Adam Jul 26 '20 at 14:16
  • Maybe the problem is that my server doesn't send the chain of certificates, but only the server one. I'll try to add the CA certificate there – Adam Jul 26 '20 at 14:37
  • No, the problem's the same – Adam Jul 26 '20 at 14:48
  • I had similar problem: "curl: (51) SSL: no alternative certificate subject name matches target host name 'myserver.something' " though it was in the SAN list. I found out that when I use the first DNSName in the SAN it did work. I don't know if it's a know issue, but looks like curl didn't check ALL the DNS names in the SAN in my case. – user514949 Jun 24 '21 at 08:30

2 Answers2

2

There are two different and nearly unrelated things here.

For curl using OpenSSL, as yours is, the root cert (normally a CA) must be in the file specified by --cacert, OR alternatively in the --capath directory using special filenames that consist of an 8-hexit truncated hash of the canonicalized subject name plus dot and zero (or a small number if collision), OR in the defaults for either if not specified; unless (at least) one of these is present you get the 'unable to get local issuer' error;

AND, the server certificate sent by the server (which normally is NOT the CA cert) must contain, in SubjectAltName (SAN) extension if present and otherwise in Subject.CommonName (CN), a hostname that matches the hostname in the URL you try to access. If the server cert contains SAN extension but no entry in that extension matches the URL, you get the error in your title; see e.g. Fix CURL (51) SSL error: no alternative certificate subject name matches

A self-signed server cert varies from the usual case because it acts as both the root cert and the server cert, so it must BOTH be in --cacert or --capath or their defaults (even though properly speaking it isn't a CA) AND contain SAN (or in its absence CN) that matches the URL.

PS: if you can't determine for certain what cert the server is sending (perhaps because the config is complicated, or not certain if it has been restarted or refreshed), use

 openssl s_client -connect $host:$port -servername $host 2>&1 | openssl x509 -noout -text 
 # if OpenSSL version 1.1.1 you can omit -servername $host
dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • The self-signed server cert worked (used `--cacert`) as you write. But when I switched to the self-signed ca (and used `--cacert` too), I got the error in my question title. – Adam Jul 28 '20 at 19:43
  • 1
    Your command output: `X509v3 extensions: X509v3 Subject Alternative Name: DNS:my.ip.addr.ess` So it should work. Maybe it has a problem, when SAN is not a domain, but an IP addr? I don't have a domain, I use the address everywhere. – Adam Jul 28 '20 at 19:44
  • I had no problems on my iPhone, and switched to wget which works. – Adam Jul 28 '20 at 19:49
0

Use wget. --ca-certificate=path/to/PEM/ca/cert

Adam
  • 1,724
  • 4
  • 21
  • 31