[英]How to solve "NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)"
I found only one SO Post on the error "NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN) ."我在错误“NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN) ” 上只发现了一个 SO Post 。
I am running a simple python app on localhost on a CentOS server.我在 CentOS 服务器上的本地主机上运行一个简单的 python 应用程序。 The Python app is just a little helper client that makes http requests to an external API when requested by ManageIQ, the main app running on this appliance.
Python 应用程序只是一个小助手客户端,当 ManageIQ 请求时,它向外部 API 发出 http 请求,ManageIQ 是在此设备上运行的主应用程序。
Out of the blue the python app has stopped accepting requests.突然,python 应用程序已停止接受请求。 ManageIQ logs the following error:
ManageIQ 记录以下错误:
Errno::ECONNREFUSED: Failed to open TCP connection to localhost:8080 (Connection refused - connect(2) for "localhost" port 8080)
To debug it, I ran a curl command on the command line: curl --verbose http://localhost/flavors/Linux?name=Basic_A1
为了调试它,我在命令行上运行了 curl 命令:
curl --verbose http://localhost/flavors/Linux?name=Basic_A1
The output was:输出是:
* About to connect() to localhost port 80 (#0)
* Trying ::1...
* Connected to localhost (::1) port 80 (#0)
> GET /flavors/Linux?name=Basic_A1 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 11 Nov 2020 16:17:57 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 mod_auth_kerb/5.4
< Location: https://localhost/flavors/Linux?name=Basic_A1
< Content-Length: 229
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://localhost/flavors/Linux?name=Basic_A1">here</a>.</p>
</body></html>
* Connection #0 to host localhost left intact
This suggested to me that I needed https, so I tried curl --verbose https://localhost/flavors/Linux?name=Basic_A1
这向我表明我需要 https,所以我尝试
curl --verbose https://localhost/flavors/Linux?name=Basic_A1
* About to connect() to localhost port 443 (#0)
* Trying ::1...
* Connected to localhost (::1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: E=mike.butak@expeditors.com,CN=miq-dev.chq.ei,OU=IS-Systems Administration,O=Expeditors,C=US
* start date: Aug 24 22:20:01 2020 GMT
* expire date: May 11 22:20:01 2040 GMT
* common name: miq-dev.chq.ei
* issuer: CN=Expeditors Server CA,OU=IS Security,O=Expeditors,C=US
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* Closing connection 0
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
Been searching most of the day for a fix.一天中的大部分时间都在寻找修复程序。 This has happened to me in the past and was easily fixed by re-installing our corporate root certificate in the
/etc/pki/ca-trust/source/anchors
folder and then running update-ca-trust enable
and update-ca-trust extract
per this post on serverfault .这在过去发生在我身上,通过在
/etc/pki/ca-trust/source/anchors
文件夹中重新安装我们的公司根证书,然后运行update-ca-trust enable
和update-ca-trust extract
很容易解决根据 serverfault 上的这篇文章update-ca-trust extract
。 But today for some reason it didn't work.但是今天由于某种原因它不起作用。
Any pointers?任何指针? Thanks!
谢谢!
.... requested domain name does not match the server's certificate
.... 请求的域名与服务器的证书不匹配
This error means that you've requested localhost
as domain name on the URL but the certificate was not issued for localhost
.此错误意味着您已请求
localhost
作为 URL 上的域名,但未为localhost
颁发证书。 This has nothing to do with the root CA so it does not help to update these.这与根 CA 无关,因此它无助于更新这些。 Instead it is a mismatch between the name you use to access the site and the name which is in the certificate - so you need to adjust one of these.
相反,它是您用于访问站点的名称与证书中的名称不匹配 - 因此您需要调整其中之一。
Errno::ECONNREFUSED: Failed to open TCP connection to localhost:8080 (Connection refused - connect(2) for "localhost" port 8080)
Errno::ECONNREFUSED: 无法打开到 localhost:8080 的 TCP 连接(连接被拒绝 - “localhost”端口 8080 的连接(2))
This is a totally different error and completely unrelated to the error you got with curl.这是一个完全不同的错误,与您使用 curl 遇到的错误完全无关。 With curl you've tried to access localhost port 443 and got a name mismatch in the certificate.
使用 curl,您尝试访问本地主机端口 443 并在证书中发现名称不匹配。 With Python you tried to access localhost port 8080 and got a connection error since there is no server on this port in the first place.
使用 Python,您尝试访问 localhost 端口 8080 并出现连接错误,因为该端口上首先没有服务器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.