问题
I've set up a server on my local network, but I'm stymied troubleshooting HTTPS connections. When I use curl -v to make a request, I'm told, "requested domain name does not match the server's certificate."
But the output itself appears to indicate that the domain does match: "reg.qa"
What's the real issue here?
$ curl -v https://reg.qa/
* Added reg.qa:443:172.18.0.4 to DNS cache
* About to connect() to reg.qa port 443 (#0)
* Trying 172.18.0.4...
* Connected to reg.qa (172.18.0.4) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=reg.qa,OU=Web Test,O=MYORG,ST=CA,C=US
* start date: Mar 11 20:53:04 2020 GMT
* expire date: Mar 10 20:53:04 2025 GMT
* common name: reg.qa
* issuer: CN=reg.qa,OU=Web Test,O=MYORG,ST=CA,C=US
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* Closing connection 0
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
回答1:
- NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
As far as I know newer versions of NSS require that the certificate uses subject alternative names (SAN) to describe the valid domains. Using the common name (CN) is obsolete for many years and several browsers and TLS stacks started to enforce this a while ago.
来源:https://stackoverflow.com/questions/60644617/curl-says-requested-domain-name-does-not-match-the-servers-certificate-but-i