Curl 说“请求的域名与服务器的证书不匹配"，但它似乎匹配 [英] Curl says "requested domain name does not match the server's certificate," but it appears to match

问题描述

我已经在本地网络上设置了一个服务器，但是我在对 HTTPS 连接进行故障排除时遇到了困难.当我使用 curl -v 发出请求时，我被告知请求的域名与服务器的证书不匹配".

I've set up a server on my local network, but I'm stymied troubleshooting HTTPS connections. When I use curl -v to make a request, I'm told, "requested domain name does not match the server's certificate."

但输出本身似乎表明域确实匹配:reg.qa"

But the output itself appears to indicate that the domain does match: "reg.qa"

这里真正的问题是什么?

What's the real issue here?

$ curl -v https://reg.qa/
* Added reg.qa:443:172.18.0.4 to DNS cache
* About to connect() to reg.qa port 443 (#0)
*   Trying 172.18.0.4...
* Connected to reg.qa (172.18.0.4) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*   subject: CN=reg.qa,OU=Web Test,O=MYORG,ST=CA,C=US
*   start date: Mar 11 20:53:04 2020 GMT
*   expire date: Mar 10 20:53:04 2025 GMT
*   common name: reg.qa
*   issuer: CN=reg.qa,OU=Web Test,O=MYORG,ST=CA,C=US
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* Closing connection 0
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

推荐答案

• NSS 错误 -12276 (SSL_ERROR_BAD_CERT_DOMAIN)

据我所知，较新版本的 NSS 要求证书使用主题备用名称 (SAN) 来描述有效域.使用通用名称 (CN) 已过时多年，并且一些浏览器和 TLS 堆栈不久前开始强制执行此操作.

As far as I know newer versions of NSS require that the certificate uses subject alternative names (SAN) to describe the valid domains. Using the common name (CN) is obsolete for many years and several browsers and TLS stacks started to enforce this a while ago.

这篇关于Curl 说“请求的域名与服务器的证书不匹配"，但它似乎匹配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！