0

I'm trying to create self-signed certificates for my webserver but it's not going well. The title is the error message curl gives me when I run curl --noproxy "*" https://example.com (with example.com being the domain name of my webserver) on the webserver. It is a FQDN and resolveable.

wget --no-proxy https://example.com gets me

Resolving example.com (example.com)... 127.0.1.1
Connecting to example.com (example.com)|127.0.1.1|:443... connected.
    ERROR: certificate common name ‘’ doesn't match requested host name ‘example.com’.

Apparently, it "cannot obtain the common name" of my certificate. But I don't get why.

I generated the server certificate using this .cnf file, named server.cnf:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no


[req_distinguished_name]
countryName=            <country>
stateOrProvinceName=    <province>
localityName=           <locality>
organizationName=       <organization>
organizationalUnitName= <ou>
commonName=             example.com

[alt_names]
DNS.1 = example.com

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

using the command:

sudo certtool --generate-certificate \
--load-privkey /etc/ssl/web_domain_keys/server_key.pem \
--load-ca-certificate /etc/ssl/certs/CA_cert.pem \
--load-ca-privkey /etc/ssl/private/CA_key.pem \
--template /usr/lib/ssl/server.cnf \
--outfile /etc/ssl/server_cert.pem

When I run openssl s_client -connect example.com:443 the subject name is blank, but I don't know why this is:

depth=1 CN = ca.example.com
verify return:1
depth=0
verify return:1
---
Certificate chain
 0 s:
   i:CN = ca.example.com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar  5 13:54:23 2024 GMT; NotAfter: Mar  5 13:54:23 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
<correct certificate>
-----END CERTIFICATE-----
subject=
issuer=CN = ca.example.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits```
Improve this question
2
  • 1
    (1) You don't need to actually try a connection; openssl x509 -in server_cert.pem -subject [-noout] will show you that it's wrong (2) certtool is NOT an OpenSSL-related or -based program -- it is part of GnuTLS, and does not use the OpenSSL config format; its 'template' format is superficially similar (using lines containing name=value) but different in nearly all specifics, see its man page.
    – dave_thompson_085
    Commented Mar 6 at 2:45
  • @dave_thompson_085 Thank you, I didn't realize that. I mixed two different tutorials without thinking much and made a mess
    – Seal_bebbe
    Commented Mar 9 at 11:27

0

Reset to default

You must log in to answer this question.