On 5/10/2019 8:57 AM, surya chandrika via curl-library wrote: > I Ran the following > > -sh-4.2$ HOST=<myhost>; echo | openssl s_client -servername $HOST > -connect $HOST:443 2>/dev/null | openssl x509 -noout -checkhost $HOST > unable to load certificate > 139697300731712:error:0906D06C:PEM routines:PEM_read_bio:no start > line:crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE > > I added a self signed certificate for this host. Could that be a reason? > > On Wed, May 8, 2019 at 11:48 AM Ray Satiro via curl-library > <curl-library@cool.haxx.se <mailto:curl-library@cool.haxx.se>> wrote: > > On 5/8/2019 12:32 AM, surya chandrika wrote: >> Disabling CURLOPT_SSL_VERIFYHOST worked. Yes as you said this >> is not recommended. >> But am not sure why certificate with correct hostname is not >> recognized from uploaded certificate. >> I added certificate in path "/etc/pki/ca-trust/source/anchors/ >> In verbose mode it says it got 5 certificate >>> * found 171 certificates in /etc/pki/tls/certs/ca-bundle.crt >>> * *found 5 certificates in /etc/pki/ca-trust/source/anchors/* >>> * >>> * >>> *But throw error *SSL: certificate subject name (#1300) does not >>> match target host name 'abc.com <http://abc.com/> >> Any idea why certificate is not recognized > > > If abc.com <http://abc.com> is a hostname in the certificate then > you should not see that message. Check if OpenSSL gives different > results: > > (HOST=abc.com <http://abc.com> ; echo | openssl s_client > -servername $HOST -connect $HOST:443 2>/dev/null | openssl x509 > -noout -checkhost $HOST) > > Instead of -checkhost $HOST you can use -text to dump the > certificate details. You should see the hostname in X509v3 Subject > Alternative Name. >
Please do not top-post [1], it makes the conversation harder to follow. The error "Expecting: TRUSTED CERTIFICATE" means that certificate was not read which likely means a separate error occurred in the previous command. A self-signed certificate should not be the reason. Try just the s_client command without suppressing errors. [1]: https://curl.haxx.se/mail/etiquette.html#Do_Not_Top_Post
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
