Thanks so much Jeffrey, I was not aware that the putting the hostname in the CN was no longer the recommended approach. I updated the server cert as you described, and now all is working - thanks again.
On Thu, 3 Oct 2024 at 20:55, Jeffrey Walton <noloa...@gmail.com> wrote: > > On Thu, Oct 3, 2024 at 2:26 PM Adam Retter via curl-users > <curl-users@lists.haxx.se> wrote: > > > > I have a Web Server that requires certificate authentication, and I am > > trying to connect to it using curl (version 7.81.0-1ubuntu1.18) and a > > client certificate. > > Unfortunately I am getting the following error from curl: > > > > curl: (60) SSL: no alternative certificate subject name matches target > > host name 'tekrar.lacuna.evolvedbinary.com'. > > > > The full curl command I am running is: > > > > curl -vv --cacert /etc/puppetlabs/puppetserver/ca/ca_crt.pem --cert > > /etc/puppetlabs/puppet/ssl/certs/tekrar.lacuna.evolvedbinary.com.pem > > --key > > /etc/puppetlabs/puppet/ssl/private_keys/tekrar.lacuna.evolvedbinary.com.pem > > https://tekrar.lacuna.evolvedbinary.com:8081 > > > > The full output from curl looks like: > > > > * Trying 172.30.1.254:8081... > > * Connected to tekrar.lacuna.evolvedbinary.com (172.30.1.254) port 8081 (#0) > > * ALPN, offering h2 > > * ALPN, offering http/1.1 > > * CAfile: /etc/puppetlabs/puppetserver/ca/ca_crt.pem > > * CApath: /etc/ssl/certs > > * TLSv1.0 (OUT), TLS header, Certificate Status (22): > > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > > * TLSv1.2 (IN), TLS header, Certificate Status (22): > > * TLSv1.3 (IN), TLS handshake, Server hello (2): > > * TLSv1.2 (IN), TLS header, Finished (20): > > * TLSv1.2 (IN), TLS header, Supplemental data (23): > > * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): > > * TLSv1.3 (IN), TLS handshake, Request CERT (13): > > * TLSv1.3 (IN), TLS handshake, Certificate (11): > > * TLSv1.3 (IN), TLS handshake, CERT verify (15): > > * TLSv1.3 (IN), TLS handshake, Finished (20): > > * TLSv1.2 (OUT), TLS header, Finished (20): > > * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): > > * TLSv1.2 (OUT), TLS header, Supplemental data (23): > > * TLSv1.3 (OUT), TLS handshake, Certificate (11): > > * TLSv1.2 (OUT), TLS header, Supplemental data (23): > > * TLSv1.3 (OUT), TLS handshake, CERT verify (15): > > * TLSv1.2 (OUT), TLS header, Supplemental data (23): > > * TLSv1.3 (OUT), TLS handshake, Finished (20): > > * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 > > * ALPN, server did not agree to a protocol > > * Server certificate: > > * subject: C=GB; ST=Devon; L=Sampford Peverell; O=Evolved Binary; > > OU=SysOps; CN=tekrar.lacuna.evolvedbinary.com; > > emailAddress=sys...@evolvedbinary.com > > * start date: Jan 24 16:54:18 2024 GMT > > * expire date: Jan 23 16:54:18 2027 GMT > > * subjectAltName does not match tekrar.lacuna.evolvedbinary.com > > * SSL: no alternative certificate subject name matches target host > > name 'tekrar.lacuna.evolvedbinary.com' > > * Closing connection 0 > > * TLSv1.2 (OUT), TLS header, Supplemental data (23): > > * TLSv1.3 (OUT), TLS alert, close notify (256): > > curl: (60) SSL: no alternative certificate subject name matches target > > host name 'tekrar.lacuna.evolvedbinary.com' > > More details here: https://curl.se/docs/sslcerts.html > > > > curl failed to verify the legitimacy of the server and therefore could not > > establish a secure connection to it. To learn more about this situation and > > how to fix it, please visit the web page mentioned above. > > > > As far as I can see hostname matches the CN in the server certificate. > > So I am not sure why it is complaining about ALT names. Any ideas? > > > > I have access to the client, server, and cert files if you would like > > me to check anything? > > Hostnames always go in the Subject Alt Name (SAN). The hostname in the > CN must also be present in the SAN. The hostname has to be listed > twice in this case. So get a new certificate issued for the host, and > ensure tekrar.lacuna.evolvedbinary.com is present in the SAN. > > Public CA's used to issue a certificate with the domain name in the > CN, and the hostnames in the SAN. Nowadays the CN is NOT RECOMMENDED. > The rules for Public CA's can be found in the CA/Browser Forum > Baseline Requirements (BR), > <https://cabforum.org/working-groups/server/baseline-requirements/>. > The section of interest is 7.1.4.3, Subscriber Certificate Common Name > Attribute (p. 108). > > My rule of thumb is, all hostnames go in the SAN. CN is displayed to > the user, so make it a friendly name, like "Evolved Binary Website" or > similar. I do not follow the CA/B BR NOT RECOMMENDED -- I still issue > with the CN on my networks. > > Jeff -- Adam Retter skype: adam.retter tweet: adamretter http://www.adamretter.org.uk -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
