No, that wasn't it. The test script fails even when the ubuntu package ca-certificates is installed. And the test script is all self-signed anyway, there's no outside server involved. In fact, it fails on my laptop, which has all the certs a normal user needs.
The script works fine without the wildcard, too, even in the clean container. It really does feel like the wildcard triggers some surprising requirement in gnutls. Maybe I should try registering a FQDN for my laptop and see if that helps :-) On Fri, Jul 29, 2016 at 6:51 AM, Dan Kegel <[email protected]> wrote: > Ha! Thank you, that makes sense! I'll give that a shot. > > > On Jul 27, 2016 11:49 PM, "Nikos Mavrogiannopoulos" <[email protected]> wrote: > > On Thu, Jul 28, 2016 at 12:29 AM, Dan Kegel <[email protected]> wrote: >> The script http://kegel.com/wildcard-bug.sh.txt demonstrates >> generating a wildcard cert >> on ubuntu using openssh, and using it with gnutls. Works great on a >> real machine with >> a real FQDN. But if I run it on a container without a FQDN, >> gnutls-cli refuses to trust the server. >> What's going on here? Are servers only trusted if the client can look >> up the server's primary name in DNS? > > Most likely your container doesn't contain the root certificates > needed for gnutls to verify servers. You'll need to install the > package that contains them. > > regards, > Nikos > > _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
