Enforce HTTPS public key used #3

New Issue

Open

opened 2024-10-12 06:53:31 +02:00 by Benjamin_Loison · 18 comments

Benjamin_Loison commented 2024-10-12 06:53:31 +02:00

Owner

Copy Link

Related to Benjamin_Loison/HTTPS/issues/2.

Related to [Benjamin_Loison/HTTPS/issues/2](https://codeberg.org/Benjamin_Loison/HTTPS/issues/2).

Benjamin_Loison commented 2024-10-13 22:18:30 +02:00

Author

Owner

Copy Link

The Ask Ubuntu answer 201923 may help.

[The Ask Ubuntu answer 201923](https://askubuntu.com/a/201923) may help.

Benjamin_Loison commented 2024-10-14 00:04:38 +02:00

Author

Owner

Copy Link

curl https://localhost

Output:

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

```bash curl https://localhost ``` <details> <summary>Output:</summary> ``` curl: (60) SSL certificate problem: certificate has expired More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` </details>

Benjamin_Loison commented 2024-10-14 00:15:01 +02:00

Author

Owner

Copy Link

curl https://localhost

Output:

curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

```bash curl https://localhost ``` <details> <summary>Output:</summary> ``` curl: (60) SSL certificate problem: self-signed certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` </details>

Benjamin_Loison commented 2024-10-14 00:34:18 +02:00

Author

Owner

Copy Link

curl --cacert localhost.pem https://localhost

works fine.

```bash curl --cacert localhost.pem https://localhost ``` works fine.

Benjamin_Loison closed this issue 2024-10-14 00:34:24 +02:00

Benjamin_Loison commented 2024-10-14 01:07:09 +02:00

Author

Owner

Copy Link

IPV4_ADDRESS=XXX.XXX.XXX.XXX
curl --cacert $IPV4_ADDRESS.pem https://$IPV4_ADDRESS

Output:

curl: (60) SSL: no alternative certificate subject name matches target host name 'IPV4_ADDRESS'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

with default certificate.

```bash IPV4_ADDRESS=XXX.XXX.XXX.XXX curl --cacert $IPV4_ADDRESS.pem https://$IPV4_ADDRESS ``` <details> <summary>Output:</summary> ``` curl: (60) SSL: no alternative certificate subject name matches target host name 'IPV4_ADDRESS' More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` </details> with default certificate.

Benjamin_Loison reopened this issue 2024-10-14 01:07:09 +02:00

Benjamin_Loison commented 2024-10-14 01:12:14 +02:00

Author

Owner

Copy Link

curl --cacert XXX.XXX.XXX.XXX.pem https://XXX.XXX.XXX.XXX

works fine.

```bash curl --cacert XXX.XXX.XXX.XXX.pem https://XXX.XXX.XXX.XXX ``` works fine.

Benjamin_Loison closed this issue 2024-10-14 01:12:15 +02:00

Benjamin_Loison commented 2024-11-28 12:32:16 +01:00

Author

Owner

Copy Link

Firefox > Connection not secure > More information > View Certificate > Miscellaneous > Download > PEM (cert).

curl --cacert XXX.XXX.XXX.XXX.pem https://XXX.XXX.XXX.XXX

Output:

curl: (60) SSL: certificate subject name '*' does not match target host name 'XXX.XXX.XXX.XXX'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Firefox > *Connection not secure* > *More information* > *View Certificate* > *Miscellaneous* > *Download* > *PEM (cert)*. ```bash curl --cacert XXX.XXX.XXX.XXX.pem https://XXX.XXX.XXX.XXX ``` <details> <summary>Output:</summary> ``` curl: (60) SSL: certificate subject name '*' does not match target host name 'XXX.XXX.XXX.XXX' More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` </details>

Benjamin_Loison commented 2024-11-28 12:33:57 +01:00

Author

Owner

Copy Link

DuckDuckGo and Google search "curl: (60) SSL: certificate subject name '*' does not match target host name" and "SSL: certificate subject name '*' does not match target host name".

DuckDuckGo and Google search `"curl: (60) SSL: certificate subject name '*' does not match target host name"` and `"SSL: certificate subject name '*' does not match target host name"`.

Benjamin_Loison commented 2024-11-28 12:43:47 +01:00

Author

Owner

Copy Link

curl --help | grep -iE 'cert|subject|name|target|host'

Output:

 -O, --remote-name          Write output to a file named as the remote file
 -A, --user-agent <name>    Send User-Agent <name> to server

```bash curl --help | grep -iE 'cert|subject|name|target|host' ``` <details> <summary>Output:</summary> ``` -O, --remote-name Write output to a file named as the remote file -A, --user-agent <name> Send User-Agent <name> to server ``` </details>

Benjamin_Loison commented 2024-11-28 12:44:58 +01:00

Author

Owner

Copy Link

man curl | grep -iE 'cert|subject'

already returns many results.

```bash man curl | grep -iE 'cert|subject' ``` already returns many results.

Benjamin_Loison commented 2024-11-28 12:45:27 +01:00

Author

Owner

Copy Link

man curl

Output:

       --cacert <file>
              (TLS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates.
              The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is  typi‐
              cally used to alter that default file.

              curl  recognizes  the environment variable named 'CURL_CA_BUNDLE' if it is set, and uses the given path as a path to a CA
              cert bundle. This option overrides that variable.

              The windows version of curl automatically looks for a CA certs file named 'curl-ca-bundle.crt', either in the same direc‐
              tory as curl.exe, or in the Current Working Directory, or in any folder along your PATH.

              (iOS and macOS only) If curl is built against Secure Transport, then this option is supported for backward  compatibility
              with other SSL engines, but it should not be set. If the option is not set, then curl uses the certificates in the system
              and user Keychain to verify the peer, which is the preferred method of verifying the peer's certificate chain.

              (Schannel  only)  This option is supported for Schannel in Windows 7 or later (added in 7.60.0). This option is supported
              for backward compatibility with other SSL engines; instead it is recommended to use Windows' store of  root  certificates
              (the default for Schannel).

              If --cacert is provided several times, the last set value is used.

              Example:
               curl --cacert CA-file.txt https://example.com

              See also --capath and -k, --insecure.

```bash man curl ``` <details> <summary>Output:</summary> ``` --cacert <file> (TLS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is typi‐ cally used to alter that default file. curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable. The windows version of curl automatically looks for a CA certs file named 'curl-ca-bundle.crt', either in the same direc‐ tory as curl.exe, or in the Current Working Directory, or in any folder along your PATH. (iOS and macOS only) If curl is built against Secure Transport, then this option is supported for backward compatibility with other SSL engines, but it should not be set. If the option is not set, then curl uses the certificates in the system and user Keychain to verify the peer, which is the preferred method of verifying the peer's certificate chain. (Schannel only) This option is supported for Schannel in Windows 7 or later (added in 7.60.0). This option is supported for backward compatibility with other SSL engines; instead it is recommended to use Windows' store of root certificates (the default for Schannel). If --cacert is provided several times, the last set value is used. Example: curl --cacert CA-file.txt https://example.com See also --capath and -k, --insecure. ``` </details>

Benjamin_Loison commented 2024-12-02 21:56:24 +01:00

Author

Owner

Copy Link

import requests

IPV4_ADDRESS = 'XXX.XXX.XXX.XXX'
requests.get(f'https://{IPV4_ADDRESS}', verify = f'{IPV4_ADDRESS}.pem')

Output:

Traceback (most recent call last):
  File "<tmp 3>", line 4, in <module>
    requests.get('https://XXX.XXX.XXX.XXX', verify = 'XXX.XXX.XXX.XXX.pem')
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/api.py", line 73, in get
    return request("get", url, params=params, **kwargs)
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
  File "/home/benjamin/venv/lib/python3.12/site-packages/requests/adapters.py", line 698, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='XXX.XXX.XXX.XXX', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for 'XXX.XXX.XXX.XXX'. (_ssl.c:1000)")))

```python import requests IPV4_ADDRESS = 'XXX.XXX.XXX.XXX' requests.get(f'https://{IPV4_ADDRESS}', verify = f'{IPV4_ADDRESS}.pem') ``` <details> <summary>Output:</summary> ``` Traceback (most recent call last): File "<tmp 3>", line 4, in <module> requests.get('https://XXX.XXX.XXX.XXX', verify = 'XXX.XXX.XXX.XXX.pem') File "/home/benjamin/venv/lib/python3.12/site-packages/requests/api.py", line 73, in get return request("get", url, params=params, **kwargs) File "/home/benjamin/venv/lib/python3.12/site-packages/requests/api.py", line 59, in request return session.request(method=method, url=url, **kwargs) File "/home/benjamin/venv/lib/python3.12/site-packages/requests/sessions.py", line 589, in request resp = self.send(prep, **send_kwargs) File "/home/benjamin/venv/lib/python3.12/site-packages/requests/sessions.py", line 703, in send r = adapter.send(request, **kwargs) File "/home/benjamin/venv/lib/python3.12/site-packages/requests/adapters.py", line 698, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='XXX.XXX.XXX.XXX', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for 'XXX.XXX.XXX.XXX'. (_ssl.c:1000)"))) ``` </details>

Benjamin_Loison commented 2024-12-03 13:28:31 +01:00

Author

Owner

Copy Link

Maybe using --cacert and -k is more secure than just -k.

Could try experimentally.

Related to Benjamin_Loison/requests/issues/3#issuecomment-2492123.

Maybe using `--cacert` and `-k` is more secure than just `-k`. Could try experimentally. Related to [Benjamin_Loison/requests/issues/3#issuecomment-2492123](https://codeberg.org/Benjamin_Loison/requests/issues/3#issuecomment-2492123).

👍 1

Benjamin_Loison reopened this issue 2024-12-03 13:28:31 +01:00

Benjamin_Loison commented 2024-12-06 17:30:39 +01:00

Author

Owner

Copy Link

Related to Benjamin_Loison/git/issues/93.

Related to [Benjamin_Loison/git/issues/93](https://codeberg.org/Benjamin_Loison/git/issues/93).

Benjamin_Loison commented 2025-08-29 22:34:08 +02:00

Author

Owner

Copy Link

cat localhost.pem | curl --cacert - https://localhost

curl: (77) error setting certificate file: -

cat localhost.pem | curl --cacert /dev/stdin https://localhost

2025-08-29 20:33:53

Source: the Unix Stack Exchange answer 505831

``` cat localhost.pem | curl --cacert - https://localhost ``` ``` curl: (77) error setting certificate file: - ``` ``` cat localhost.pem | curl --cacert /dev/stdin https://localhost ``` ``` 2025-08-29 20:33:53 ``` Source: [the Unix Stack Exchange answer 505831](https://unix.stackexchange.com/a/505831)

Benjamin_Loison commented 2025-10-21 11:15:16 +02:00

Author

Owner

Copy Link

echo -n | openssl s_client -connect lemnoslife.com:443 -CAfile /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > lemnoslife.com.pem

Output:

depth=1 C = US, O = Let's Encrypt, CN = E8
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = altiscraft.fr
verify return:1
DONE

To generate firefox_lemnoslife.com.pem I used urldecode which seems to have work.

diff {firefox,ask_ubuntu_201923}_lemnoslife.com.pem 

Output:

7c7
< eN330SOWFlzWtRG y9SKiiS0l6WqoR59QgKWQ8riWUikmPSjggJoMIICZDAOBgNV
---
> eN330SOWFlzWtRG+y9SKiiS0l6WqoR59QgKWQ8riWUikmPSjggJoMIICZDAOBgNV
18,19c18,19
< 5YAVy3bLbwB2AA5XlLzzrqk MxssmQez95Dfm8I9cTIl3SGpJaxhxU4hAAABmc8K
< qtIAAAQDAEcwRQIgKBWI CoYj/Tju2mP8NtON4XIPLw988Ll2Pe yC6XBN8CIQD2
---
> 5YAVy3bLbwB2AA5XlLzzrqk+MxssmQez95Dfm8I9cTIl3SGpJaxhxU4hAAABmc8K
> qtIAAAQDAEcwRQIgKBWI+CoYj/Tju2mP8NtON4XIPLw988Ll2Pe+yC6XBN8CIQD2

curl --cacert lemnoslife.com.pem https://54.37.228.22

curl: (77) error setting certificate file: lemnoslife.com.pem

on the server:

-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdAyG8knegHEUupkRSF3ItpFrlZNJMu0+dlC1FNiIT44Q4w
vZm1OMg83G30jqdSZB8AHqhRcuHtXEvX6YCT/JvJWl4QOeXM4ZSSYugi8Tco5UJs
1FEBCQIQ7mKp0T8EgLA+HkSVVZhV13Tmnyf07RxsyNYd4QYfFH/XvqRdJKZP0yKN
mPaIibr39cuN2vFbunPre8GhnK36HCYwfgMfsi0vBhCfOCI=
=gSPV
-----END PGP MESSAGE-----

PEM (chain) does not help.

```bash echo -n | openssl s_client -connect lemnoslife.com:443 -CAfile /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > lemnoslife.com.pem ``` <details> <summary>Output:</summary> ``` depth=1 C = US, O = Let's Encrypt, CN = E8 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = altiscraft.fr verify return:1 DONE ``` </details> To generate `firefox_lemnoslife.com.pem` I used `urldecode` which seems to have work. ``` diff {firefox,ask_ubuntu_201923}_lemnoslife.com.pem ``` <details> <summary>Output:</summary> ``` 7c7 < eN330SOWFlzWtRG y9SKiiS0l6WqoR59QgKWQ8riWUikmPSjggJoMIICZDAOBgNV --- > eN330SOWFlzWtRG+y9SKiiS0l6WqoR59QgKWQ8riWUikmPSjggJoMIICZDAOBgNV 18,19c18,19 < 5YAVy3bLbwB2AA5XlLzzrqk MxssmQez95Dfm8I9cTIl3SGpJaxhxU4hAAABmc8K < qtIAAAQDAEcwRQIgKBWI CoYj/Tju2mP8NtON4XIPLw988Ll2Pe yC6XBN8CIQD2 --- > 5YAVy3bLbwB2AA5XlLzzrqk+MxssmQez95Dfm8I9cTIl3SGpJaxhxU4hAAABmc8K > qtIAAAQDAEcwRQIgKBWI+CoYj/Tju2mP8NtON4XIPLw988Ll2Pe+yC6XBN8CIQD2 ``` </details> ``` curl --cacert lemnoslife.com.pem https://54.37.228.22 ``` ``` curl: (77) error setting certificate file: lemnoslife.com.pem ``` <details> <summary>on the server:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdAyG8knegHEUupkRSF3ItpFrlZNJMu0+dlC1FNiIT44Q4w vZm1OMg83G30jqdSZB8AHqhRcuHtXEvX6YCT/JvJWl4QOeXM4ZSSYugi8Tco5UJs 1FEBCQIQ7mKp0T8EgLA+HkSVVZhV13Tmnyf07RxsyNYd4QYfFH/XvqRdJKZP0yKN mPaIibr39cuN2vFbunPre8GhnK36HCYwfgMfsi0vBhCfOCI= =gSPV -----END PGP MESSAGE----- ``` </details> *PEM (chain)* does not help.

Benjamin_Loison commented 2025-10-21 11:39:44 +02:00

Author

Owner

Copy Link

--header 'Host: lemnoslife.com' does not help.

`--header 'Host: lemnoslife.com'` does not help.

Benjamin_Loison commented 2025-10-21 11:44:24 +02:00

Author

Owner

Copy Link

Would secure ping heartbeat crontab on the server:

-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdA6g7zm42s4ZSeiZMCKK78FxrtSNuS80t8+mVpebGM+nMw
t/ycaRwEoZOpwwuxX0dQNZnRaUTvuQ9GeO0I8DoXNUXxAMJ1qFu9+fGzdx+tuNe5
1FMBCQIQv95Uc5VUGRpInVplDqDxhRxt/FqW0PiiGJB72ZngwweGV46dlyYcmnAQ
yCjdoFeOD54tfz3xSD/ge9CwRSRfRi547pdwuj6I0M2b/HBbVw==
=vfzy
-----END PGP MESSAGE-----

<details> <summary>Would secure ping heartbeat <code>crontab</code> on the server:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdA6g7zm42s4ZSeiZMCKK78FxrtSNuS80t8+mVpebGM+nMw t/ycaRwEoZOpwwuxX0dQNZnRaUTvuQ9GeO0I8DoXNUXxAMJ1qFu9+fGzdx+tuNe5 1FMBCQIQv95Uc5VUGRpInVplDqDxhRxt/FqW0PiiGJB72ZngwweGV46dlyYcmnAQ yCjdoFeOD54tfz3xSD/ge9CwRSRfRi547pdwuj6I0M2b/HBbVw== =vfzy -----END PGP MESSAGE----- ``` </details>

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

No results found.

No results found.

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Benjamin_Loison

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Benjamin_Loison/curl#3

No description provided.