使用Ubuntu 16.04, curl版本7.47.0
我正在尝试debuggingSSL证书问题,并在使用curl时看到奇怪的行为。 当我刚跑时:
ubuntu@ip-172-30-0-81:~$ curl https://myapp.com/hello curl: (51) SSL: certificate subject name (cloud.mynameserver.com) does not match target host name 'myapp.com'
但是,当我附加-v标志:
ubuntu@ip-172-30-0-81:~$ curl -v https://myapp.com/hello * Trying {IP REDACTED}... * Connected to myapp.com ({IP REDACTED}) port 443 (#0) * found 173 certificates in /etc/ssl/certs/ca-certificates.crt * found 692 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 * server certificate verification OK * server certificate status verification SKIPPED * common name: myapp.com (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: CN=myapp.com * start date: Sat, 31 Dec 2016 22:57:00 GMT * expire date: Fri, 31 Mar 2017 22:57:00 GMT * issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 * compression: NULL * ALPN, server accepted to use http/1.1 > GET /hello HTTP/1.1 > Host: myapp.com > User-Agent: curl/7.47.0 > Accept: */* > < HTTP/1.1 200 OK < Server: nginx/1.10.0 (Ubuntu) < Date: Sat, 21 Jan 2017 00:25:15 GMT < Content-Type: application/json < Transfer-Encoding: chunked < Connection: keep-alive < Strict-Transport-Security: max-age=63072000; includeSubdomains < X-Frame-Options: DENY < X-Content-Type-Options: nosniff < * Connection #0 to host myapp.com left intact {"message": "Hello World"}
注意最后一个, {"message": "Hello World"}是预期的响应。
为什么curl在详细模式下运行时,对SSL证书细节的信任有所不同? 就我所知,这在man页中没有指定。
看起来,您有两个不同的A (或AAAA for IPv6)logging具有相同的主机名。 当主机名有多个logging时,这会导致每个主机名查找返回一个不同的IP地址轮询样式。
当您使用或不使用详细模式来交替请求时,IP地址也会交替出现,从而导致非详细请求遇到错误的IP地址,而详细请求遇到正确的IP地址。 这就是为什么正确的证书出现在详细地址根据
subject: CN=myapp.com
行,而在非详细地址的错误中给出了不同的证书。
正确的解决方法是删除不正确的Alogging,以便仅显示configuration为为您的内容提供服务的Web服务器的地址。