I Ran the following -sh-4.2$ HOST=<myhost>; echo | openssl s_client -servername $HOST -connect $HOST:443 2>/dev/null | openssl x509 -noout -checkhost $HOST unable to load certificate 139697300731712:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE
I added a self signed certificate for this host. Could that be a reason? On Wed, May 8, 2019 at 11:48 AM Ray Satiro via curl-library < curl-library@cool.haxx.se> wrote: > On 5/8/2019 12:32 AM, surya chandrika wrote: > > Disabling CURLOPT_SSL_VERIFYHOST worked. Yes as you said this is not > recommended. > But am not sure why certificate with correct hostname is not recognized > from uploaded certificate. > I added certificate in path "/etc/pki/ca-trust/source/anchors/ > In verbose mode it says it got 5 certificate > > * found 171 certificates in /etc/pki/tls/certs/ca-bundle.crt > * *found 5 certificates in /etc/pki/ca-trust/source/anchors/* > > *But throw error *SSL: certificate subject name (#1300) does not match > target host name 'abc.com > > Any idea why certificate is not recognized > > > If abc.com is a hostname in the certificate then you should not see that > message. Check if OpenSSL gives different results: > > (HOST=abc.com ; echo | openssl s_client -servername $HOST -connect > $HOST:443 2>/dev/null | openssl x509 -noout -checkhost $HOST) > > Instead of -checkhost $HOST you can use -text to dump the certificate > details. You should see the hostname in X509v3 Subject Alternative Name. > > ------------------------------------------------------------------- > Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library > Etiquette: https://curl.haxx.se/mail/etiquette.html
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html