A机器可以访问外网, 且能提供web服务器:https://www.xyz.com:60443
B机器上某个程序启动要下载 https://www.example.com:60443/download/nodejs/v16.14.0/node-v16.14.0-linux-x64.tar.xz 包,
需要借助A机器。
在B机器,将 www.example.com 解析到 A 机器的ip
# cat /etc/hosts
10.3.52.60 www.example.com
在A机器 web root 目录 /usr/local/openresty/nginx/html 下创建目录
# mkdir -p /usr/local/openresty/nginx/html/download/nodejs/v16.14.0/
# cd /usr/local/openresty/nginx/html/download/nodejs/v16.14.0/
# wget https://www.example.com:60443/download/nodejs/v16.14.0/node-v16.14.0-linux-x64.tar.xz
在 B机器尝试下载 https://www.example.com:60443/download/nodejs/v16.14.0/node-v16.14.0-linux-x64.tar.xz
$ wget https://www.example.com:60443/download/nodejs/v16.14.0/node-v16.14.0-linux-x64.tar.xz
2023-10-18 15:43:20 https://www.example.com:60443/download/nodejs/v16.14.8/node-v16.14.0-linux-x64.tar.xz
正在解析主机 www.example.com (www.example.com). 10.3.52.60
正在连接 www.example.com (www.example.com)|10.3.52.60|:60443... 已连接
错误: 没有匹配的证书主体别名 (Subject Alternative Name)。
请求的主机名为“www.example.com”。
要以不安全的方式连接至 www.example.com,使用“--no-check-certificate”。
原因: 该 SSL 证书 不是颁发给 www.example.com的,默认客户端(wget 、curl 、 浏览器)会拒绝 TLS握手。
# echo | openssl s_client -showcerts -connect www.xyz.com:60443 2> /dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > www.xyz.com.crt
# openssl x509 -noout -text -in www.xyz.com.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6e:47:51:c0:ba:4d:20:71:c1:3d:ca:4a:4b:7b:8f:ba
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
Validity
Not Before: Jan 14 00:00:00 2019 GMT
Not After : Feb 8 23:59:59 2021 GMT
Subject: OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.xyz.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b2:e1:2c:9c:cf:06:52:e9:72:79:a1:7c:27:bb:
6a:0b:86:aa:70:d0:46:27:f2:ad:42:f9:17:d7:e3:
74:34:71:f0:eb:5f:17:b7:c5:81:42:45:9f:04:9c:
0d:8b:c8:c7:95:b5:1e:1f:cf:1f:ad:d0:1c:7b:a3:
f9:73:8a:9a:66:1c:d3:9b:b2:42:1f:66:f4:2a:a1:
7e:67:d4:85:8f:01:a9:87:72:0f:86:29:c3:9b:47:
2c:1d:fc:ab:a1:d8:37:f1:ca:09:a5:5e:1a:e6:e2:
ff:47:92:fa:b1:ee:45:28:68:e8:6e:aa:5a:1c:bc:
89:8f:68:b9:bc:6c:1d:62:2e:04:e8:68:88:49:7b:
ac:58:b5:1e:f4:79:e2:71:53:b4:b3:93:7e:47:07:
8d:66:c0:84:23:9d:fc:3c:92:5b:77:e9:77:73:0e:
be:33:48:88:7b:0c:2f:df:52:c1:b8:6d:61:8c:c0:
5e:eb:26:b8:a2:83:b6:7c:a1:5d:8f:47:ed:ab:0a:
f6:1a:14:7e:10:7b:96:4e:fc:6f:7c:f4:de:9f:31:
85:a5:a9:10:8a:12:47:16:23:51:56:31:2c:95:89:
3a:11:09:53:3e:55:3c:05:d6:20:27:ea:35:e0:74:
17:68:78:25:1f:d1:6c:ac:d1:9f:81:b3:02:7f:e4:
04:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
X509v3 Subject Key Identifier:
E9:82:57:A4:2B:30:F4:05:93:3C:EF:AC:BC:37:67:FD:22:8B:DB:F8
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://sectigo.com/CPS
Policy: 2.23.140.1.2.1
Authority Information Access:
CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.sectigo.com
X509v3 Subject Alternative Name:
DNS:*.xyz.com, DNS:xyz.com
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47:
38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85
Timestamp : Jan 14 22:36:41.747 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:F7:C6:2F:14:DF:0B:44:8E:F8:5E:1A:
75:E6:AE:D9:88:00:C6:35:B9:35:5D:23:FA:23:2F:C1:
47:67:B0:0F:D4:02:21:00:A2:20:47:81:0D:BB:57:14:
01:B8:C0:0D:88:1A:74:7A:95:7D:22:EC:AD:03:FA:5A:
C1:3A:0B:EA:7A:AE:6B:E3
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 44:94:65:2E:B0:EE:CE:AF:C4:40:07:D8:A8:FE:28:C0:
DA:E6:82:BE:D8:CB:31:B5:3F:D3:33:96:B5:B6:81:A8
Timestamp : Jan 14 22:36:41.817 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:41:C5:07:77:03:2B:A6:AC:54:9B:BF:FF:
FE:A7:65:3C:0A:5D:C6:BE:00:61:43:BD:0D:7A:1C:31:
2A:7E:72:59:02:21:00:CA:D5:B2:17:F1:F7:65:2A:74:
F1:9D:FD:72:71:CA:9E:11:1D:77:C0:F4:B5:CF:B1:FE:
43:13:FE:1C:36:AC:51
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 5C:DC:43:92:FE:E6:AB:45:44:B1:5E:9A:D4:56:E6:10:
37:FB:D5:FA:47:DC:A1:73:94:B2:5E:E6:F6:C7:0E:CA
Timestamp : Jan 14 22:36:41.821 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:58:66:01:E2:D9:EB:36:9A:CE:22:0E:CE:
D9:CC:C6:2B:D4:25:94:CD:64:10:37:62:31:43:0C:20:
14:14:B3:C3:02:20:46:78:BB:F5:6E:6E:69:69:8E:77:
14:96:37:6A:80:B6:81:6C:A6:F3:51:A0:3C:48:DA:76:
7D:EA:B0:64:AF:65
Signature Algorithm: sha256WithRSAEncryption
7e:e6:b7:76:54:ca:3e:8e:7e:ec:5e:da:0e:a4:87:33:8d:4f:
91:80:3c:e4:a0:b4:5a:db:1b:59:cc:f0:fb:b9:3d:63:73:5a:
0c:f0:10:9a:4f:ff:12:a7:1c:71:aa:b0:46:bc:15:f8:d5:1c:
ba:70:21:1d:68:33:4c:b5:9d:97:3d:80:f4:97:c1:27:e8:76:
47:ab:36:56:fd:af:22:a6:04:f1:17:d9:e3:c5:ed:27:2f:8f:
5b:33:d6:11:f6:97:88:bd:86:da:72:61:e1:7c:8c:aa:2b:72:
25:6a:cd:6a:29:e2:9b:90:da:93:68:8a:77:7c:42:00:d5:93:
8e:43:d1:34:7e:d5:c2:bf:1a:f0:81:45:cc:f9:9b:b7:c4:0f:
f3:c5:10:b3:06:e6:a8:ef:9e:99:6d:fb:6c:51:14:d3:4a:52:
a1:64:67:f2:5c:f3:ca:5c:9a:6a:1c:fa:2f:b8:04:0c:95:6b:
57:4c:29:4e:50:f9:89:f9:ad:c9:f6:5a:8e:fe:ea:e1:9c:f8:
2e:51:c5:c5:5c:42:6b:72:43:90:3b:a6:98:4a:4a:84:58:25:
5f:b5:ae:31:4b:36:32:c7:ec:1d:58:72:66:35:84:45:80:c7:
14:8a:78:db:51:60:78:f4:b2:65:6c:2b:e5:8c:e4:8f:0f:1f:
d0:25:db:32
image.png
根据提供的信息,连接到主机 www.example.com 时出现了证书错误。错误信息指出没有匹配的证书主体别名(Subject Alternative Name)。
要以不安全的方式连接到 www.example.com,您可以使用参数 "--no-check-certificate"。这将绕过证书验证,但请注意,这可能会导致不安全的连接。请谨慎使用此选项,确保您了解潜在的风险。
"没有匹配的证书主体别名"的错误是指在SSL/TLS连接过程中,服务器返回的证书中的Subject Alternative Name字段没有与请求的主机名匹配。
Subject Alternative Name(主体别名)是一个证书扩展字段,用于指定证书所适用的主机名列表。当客户端连接到服务器时,会检查服务器返回的证书中的主体别名是否包含与请求的主机名匹配的条目。
在您提供的情况下,连接到主机 www.example.com 时,服务器返回的证书中没有包含与该主机名匹配的主体别名。这可能是由于证书配置错误、证书过期或者服务器配置问题导致的。
为了解决这个问题,您可以尝试以下几个步骤:
- 检查证书的有效性和过期日期,确保证书是有效且没有过期。
- 确保服务器配置正确,包括证书和主机名的匹配。
- 如果您信任该服务器,可以使用 "-no-check-certificate" 参数绕过证书验证,但请注意这会降低连接的安全性,只有在您确定连接是安全的情况下才建议使用该选项。
如果问题仍然存在,您可能需要联系服务器管理员或证书颁发机构以获取进一步的支持和解决方案。
参考
服务器主机名和证书不一致
https://www.a5idc.net/helpview_2366.html
wget error: certificate owner does not match hostname
https://unix.stackexchange.com/questions/756670/wget-error-certificate-owner-does-not-match-hostname
网友评论