0

I've got an issue to validate my certificate when i'm doing an https request to my dedicated server

i ran this command to create my certificate and my private key :

openssl req -x509 -newkey rsa:4096 -keyout key.pem -passout file:passphrase.txt -out cert.pem -days 365

and when i'm runnig a command to see if the certificate and the key match, they match

then, i've setup my ssl server :

server {

# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
server_name mydomain.com;
ssl on;
ssl_certificate           /pathtocert.pem;
ssl_certificate_key       /pathtokey.pem;
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
ssl_password_file         /pathtopassphrase.txt;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /pathtocert.pem;
# Google DNS, Open DNS, Dyn DNS
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
resolver_timeout 3s;

but when i execute my curl request : 

// OPTIONS:
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
  "APIKEY: " . self::APIKEY,
  'Content-Type: application/json',
));
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);

//curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($curl, CURLOPT_CAINFO, public_path() . "\CA\Something.crt");

// EXECUTE:
$result = curl_exec($curl);

I get a certificate issue as below:

SSL: unable to obtain common name from peer certificate

I have to simply secure my API, it's my goal.

Frederic
  • 2,015
  • 4
  • 20
  • 37
Simon Uldry
  • 23
  • 1
  • 7

1 Answers1

-1

I'm creating with these command and it works for me every time.

$ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
$ openssl rsa -passin pass:x -in server.pass.key -out server.key
$ rm server.pass.key
$ openssl req -new -key server.key -out server.csr
$ openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

And this is my nginx.conf

server {
    listen 443 default_server ssl http2;

    server_name IP_ADRESS;

    ssl_certificate /home/NAMEOFCOMPUTER/keys/server.crt;
    ssl_certificate_key /home/NAMEOFCOMPUTER/keys/server.key;
    ssl_session_cache shared:SSL:10m;

    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/htpasswd.kibana;

    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}
Kerem
  • 840
  • 7
  • 22
  • Actually, steps 1 to 4 can be accomplished using: `openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr` – Richard Smith Apr 15 '18 at 15:48
  • Ok finally, i have downloaded the certificate by browser, now i got another issue: ``SSL: certificate subject name does not match target host name`` – Simon Uldry Apr 15 '18 at 16:23
  • Are you trying to access with IP adress or host name? – Kerem Apr 15 '18 at 16:24
  • By hostname, Thanks, I got the point : I've resolved by recreate my certificate and changing the common name to match with my hostname – Simon Uldry Apr 15 '18 at 16:41
  • *"I resolved by recreate my certificate and changing the common name to match with my hostname..."* - ***`CN=www.example.com`*** is probably wrong. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Apr 15 '18 at 20:34
  • It's like I am missing something. I don't have any SAN. What I want in reality it is simply communicate between serv A and B and do an asymetric encryption. I must have SAN for it ? – Simon Uldry Apr 15 '18 at 21:42