[SOLVED] Default certificate

indexer · 06-19-2012, 04:00 PM

I have a problem on my server i just cannot get resolved. Everytime I try to use wget to download from an https page I get an error saying the certificate is the wrong one (i also get this using GIT).

The error I get:

Code:

ERROR: certificate common name `www.serverlicious.org' doesn't match requested host name `www.tweakers.net'.

The error I get using GIT:

Code:

error: SSL: certificate subject name (www.serverlicious.org) does not match target host name 'bitbucket.org' while accessing https://...

It's like the system is trying to use a default certificate or something. Hours of searching the web and my system have had no results. Does anyone know what my problem might be?

unSpawn · 06-19-2012, 07:07 PM

Instead of promoting insecure connections with "--no-check-certificate" as about every web log and wget does in its output and manual here's an explanation how to add certificates to your store: http://wiki.openwrt.org/doc/howto/wget-ssl-certs. You can find out the issuers root CA by running 'echo | openssl s_client -connect bitbucket.org:443 -verify 5 -showcerts 2>&1| grep CA', search for "download [vendor name] root certificate" and download them here.

sag47 · 06-19-2012, 07:38 PM

Adding on to unSpawn you can add that certificate to your trust store like so...

Code:

openssl x509 -text -in DigiCertGlobalCA.crt >> /etc/ssl/certs/ca-bundle.trust.crt

Assuming that's how your server handles certificates (it does it that way on my Fedora and similarly Ubuntu machines). Though my server already has the DigiCert CA certs installed by default.

*edit*: on my Ubuntu system the path is /etc/ssl/certs/ca-certificates.crt. Also you don't need to run that openssl command to import it on Ubuntu; you can simply cat the certificate...

Code:

cat DigiCertGlobalCA.crt >> /etc/ssl/certs/ca-certificates.crt