curl:(60)SSL:无法从对等证书获取通用名称

curl:(60)SSL:无法从对等证书获取通用名称

我正在尝试为我的网络服务器创建自签名证书,但进展不顺利。标题是当我 curl --noproxy "*" https://example.com 在网络服务器上运行(example.com 是我的网络服务器的域名)时 curl 给出的错误消息。它是一个 FQDN 并且可解析。

wget --no-proxy https://example.com让我

Resolving example.com (example.com)... 127.0.1.1
Connecting to example.com (example.com)|127.0.1.1|:443... connected.
    ERROR: certificate common name ‘’ doesn't match requested host name ‘example.com’.

显然,它“无法获取我的证书的通用名称”。但我不明白为什么。

我使用这个名为 server.cnf 的 .cnf 文件生成了服务器证书:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no


[req_distinguished_name]
countryName=            <country>
stateOrProvinceName=    <province>
localityName=           <locality>
organizationName=       <organization>
organizationalUnitName= <ou>
commonName=             example.com

[alt_names]
DNS.1 = example.com

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

使用以下命令:

sudo certtool --generate-certificate \
--load-privkey /etc/ssl/web_domain_keys/server_key.pem \
--load-ca-certificate /etc/ssl/certs/CA_cert.pem \
--load-ca-privkey /etc/ssl/private/CA_key.pem \
--template /usr/lib/ssl/server.cnf \
--outfile /etc/ssl/server_cert.pem

当我运行时openssl s_client -connect example.com:443主题名称是空白的,但我不知道这是为什么:

depth=1 CN = ca.example.com
verify return:1
depth=0
verify return:1
---
Certificate chain
 0 s:
   i:CN = ca.example.com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar  5 13:54:23 2024 GMT; NotAfter: Mar  5 13:54:23 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
<correct certificate>
-----END CERTIFICATE-----
subject=
issuer=CN = ca.example.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits```

相关内容