Re: Getting error 60 of curl to cygwin setup

Tue, 19 Mar 2024 10:39:59 -0700 

On 2024-03-19 11:00, J M wrote:

$ file /etc/pki/tls/certs/*
/etc/pki/tls/certs/ca-bundle.crt:       symbolic link to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/tls/certs/ca-bundle.trust.crt: symbolic link to /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt 


$ grep -c '^-----BEGIN.*CERTIFICATE-----$' 
/etc/pki/ca-trust/extracted/{openssl/*.crt,pem/*.pem}

/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:369
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem:116
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem:295
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:145

$ grep '^#\s\(ISRG\|R3\)' /etc/pki/ca-trust/extracted/{openssl/*.crt,pem/*.pem}
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:# ISRG Root X1
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:# ISRG Root X2
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:# R3
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:# ISRG Root X1
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:# ISRG Root X2
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:# R3

Looks the same except the matched number lines of the grep -c.


$ sum /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt 
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem 
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem 
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

22972   630 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
34027   176 /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
36930   491 /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
05844   220 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem


The following are a bit more useful:

$ wc -lwmcL /etc/pki/ca-trust/extracted/{openssl/*.crt,pem/*.pem}

  11307   14152  664107  664142      65 
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
   3368    4080  193879  193883      64 
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
   8816   10434  512531  512566      65 
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
   4236    5094  243623  243627      64 
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

  27727   33760 1614140 1614218      65 total
$ cksum /etc/pki/ca-trust/extracted/{openssl/*.crt,pem/*.pem}
317625824 664142 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
382586407 193883 /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
1244815702 512566 /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
1065593997 243627 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

I would also like to see what you get running:

$ curl -Iv https://8.43.85.97/
*   Trying 8.43.85.97:443...
* Connected to 8.43.85.97 (8.43.85.97) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / 
RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=cygwin.com
*  start date: Jan 21 03:06:49 2024 GMT
*  expire date: Apr 20 03:06:48 2024 GMT
*  subjectAltName does not match 8.43.85.97
* SSL: no alternative certificate subject name matches target host name 
'8.43.85.97'
* Closing connection
* TLSv1.2 (OUT), TLS alert, close notify (256):

curl: (60) SSL: no alternative certificate subject name matches target host name 
'8.43.85.97'

More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

and:

$ curl -Iv https://cygwin.com/
* Host cygwin.com:443 was resolved.
* IPv6: 2620:52:3:1:0:246e:9693:128c
* IPv4: 8.43.85.97
*   Trying [2620:52:3:1:0:246e:9693:128c]:443...
* Connected to cygwin.com (2620:52:3:1:0:246e:9693:128c) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / 
RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=cygwin.com
*  start date: Jan 21 03:06:49 2024 GMT
*  expire date: Apr 20 03:06:48 2024 GMT
*  subjectAltName: host "cygwin.com" matched cert's "cygwin.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed 
using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed 
using sha256WithRSAEncryption

* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://cygwin.com/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: cygwin.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
> HEAD / HTTP/2
> Host: cygwin.com
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/2 200
HTTP/2 200
< date: Tue, 19 Mar 2024 17:32:27 GMT
date: Tue, 19 Mar 2024 17:32:27 GMT

< server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_qos/11.74 
mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_qos/11.74 
mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3

< vary: User-Agent,Accept-Encoding
vary: User-Agent,Accept-Encoding
< accept-ranges: bytes
accept-ranges: bytes
< content-security-policy: default-src 'self' http: https:
content-security-policy: default-src 'self' http: https:
< strict-transport-security: max-age=16070400
strict-transport-security: max-age=16070400
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8

<
* Connection #0 to host cygwin.com left intact


Suggest you try to redownload and rerun setup-x86_64,

reinstall the latest ca-certificates-letsencrypt and ca-certificates packages, 
check /var/log/setup.log.full, and rerun wc and cksum.


--
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                -- Antoine de Saint-Exupéry

--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple






















					Reply via email to