如何解决“NSS 错误 -12276 (SSL_ERROR_BAD_CERT_DOMAIN)”

Question

I found only one SO Post on the error "NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN) ."

I am running a simple python app on localhost on a CentOS server. The Python app is just a little helper client that makes http requests to an external API when requested by ManageIQ, the main app running on this appliance.

Out of the blue the python app has stopped accepting requests. ManageIQ logs the following error:

Errno::ECONNREFUSED: Failed to open TCP connection to localhost:8080 (Connection refused - connect(2) for "localhost" port 8080)

To debug it, I ran a curl command on the command line: curl --verbose http://localhost/flavors/Linux?name=Basic_A1

The output was:

* About to connect() to localhost port 80 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 80 (#0)
> GET /flavors/Linux?name=Basic_A1 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 11 Nov 2020 16:17:57 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 mod_auth_kerb/5.4
< Location: https://localhost/flavors/Linux?name=Basic_A1
< Content-Length: 229
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://localhost/flavors/Linux?name=Basic_A1">here</a>.</p>
</body></html>
* Connection #0 to host localhost left intact

This suggested to me that I needed https, so I tried curl --verbose https://localhost/flavors/Linux?name=Basic_A1

* About to connect() to localhost port 443 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: E=mike.butak@expeditors.com,CN=miq-dev.chq.ei,OU=IS-Systems Administration,O=Expeditors,C=US
*       start date: Aug 24 22:20:01 2020 GMT
*       expire date: May 11 22:20:01 2040 GMT
*       common name: miq-dev.chq.ei
*       issuer: CN=Expeditors Server CA,OU=IS Security,O=Expeditors,C=US
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* Closing connection 0
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

Been searching most of the day for a fix. This has happened to me in the past and was easily fixed by re-installing our corporate root certificate in the /etc/pki/ca-trust/source/anchors folder and then running update-ca-trust enable and update-ca-trust extract per this post on serverfault . But today for some reason it didn't work.

Any pointers? Thanks!

Answer 1

.... requested domain name does not match the server's certificate

This error means that you've requested localhost as domain name on the URL but the certificate was not issued for localhost . This has nothing to do with the root CA so it does not help to update these. Instead it is a mismatch between the name you use to access the site and the name which is in the certificate - so you need to adjust one of these.

Errno::ECONNREFUSED: Failed to open TCP connection to localhost:8080 (Connection refused - connect(2) for "localhost" port 8080)

This is a totally different error and completely unrelated to the error you got with curl. With curl you've tried to access localhost port 443 and got a name mismatch in the certificate. With Python you tried to access localhost port 8080 and got a connection error since there is no server on this port in the first place.