You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2010-02-16 18:41:16
- tiddylicious
- Member
- From: Norway
- Registered: 2009-11-27
- Posts: 11
fetch CA certificates
Hi,
I have a problem adding certificates (self signed) on my server. I use this command to fetch the certificate:
openssl s_client -connect <XXXX.com>:443 </dev/null 2>/dev/null | sed -n
'/BEGIN CERTIFICATE/,/END CERTIFICATE/p' >> /etc/ssl/certs/ca-certificates.crt
Then i use
c_rehash
then try to test it with:
curl -I --capath /etc/ssl/certs https://XXXX.com
but i always get an error.. I have tried to different certificates (sites) with errors:
"Certificate veify failed" or hostname != common name
This has happened to every site with a ssl (selfsigned) certificate i have tried?
Am i utterly retarded??? 
2 kooL 4 Sk00L
Offline
#2 2010-02-17 10:35:33
- tss
- Member
- From: UIUC
- Registered: 2008-08-27
- Posts: 17
- Website
Re: fetch CA certificates
The Common Name (CN) specifies who a certificate was issued for. An error message indicating that there is a mismatch between the common name and host name means that the CN field in your certificate is not the same as what is being advertised by the web server. Please ensure that the value of ServerName in your Apache configuration matches the CN you specified when you created the certificate.
Last edited by tss (2010-02-17 10:50:19)
Code is everything I thought poetry was... Clean, expressive, urgent, all-encompassing. Fourteen lines can open up to fill the available universe.
Teach Yourself Programming | Learn To Ask Questions | Fight Lost Productivity
Offline
#3 2010-02-17 12:33:07
- tiddylicious
- Member
- From: Norway
- Registered: 2009-11-27
- Posts: 11
Re: fetch CA certificates
Hi,
Thank you for your reply,
The thing is, this is not my certificate. Second thing is that i tried another site with a certificate, and i could not get it to work there either, but there I got a different error "verification failed". So, I understand the CN and servername error, but i cant understand why i cant add other certificates form different sites that has this in order?
The steps is rather clear, i fetch the certificate, add it in /etc/ssl/certs/ and then I rehash, and test it. How can I mess it up already?
Im kind of confused, shouldnt it be rathere straight forward to add a certificate and use it? I guess its something im doing very wrong.
2 kooL 4 Sk00L
Offline
#4 2010-02-17 17:12:10
- tss
- Member
- From: UIUC
- Registered: 2008-08-27
- Posts: 17
- Website
Re: fetch CA certificates
In the cases were the common name and host name is set up correctly, the verification is failing because something went wrong when you added the SSL certificate to your system. Try the method outlined in the cURL documentation. The documentation seems to suggest that you first must convert the certificate to PEM format: "To do this, you need to get the CA cert for your server in PEM format and then append that to your CA cert bundle." Perhaps that is what is going wrong. Note the relevant part from the cURL manpage: "--cert-type <type>(SSL) Tells curl what certificate type the provided certificate is in. PEM, DER and ENG are recognized types. If not specified, PEM is assumed."
Also, try using --verbose or --trace-ascii to get a more useful error message.
Code is everything I thought poetry was... Clean, expressive, urgent, all-encompassing. Fourteen lines can open up to fill the available universe.
Teach Yourself Programming | Learn To Ask Questions | Fight Lost Productivity
Offline
Pages: 1