我有 *.mydomain 的证书,并尝试使用https://my-host.mydomain访问主机。
这是详细的输出(有点乱)。
curl https://my-host.mydomain --verbose
* Rebuilt URL to: https://my-host.mydomain/
* Trying 10.0.128.43...
* Connected to my-host.mydomain (10.0.128.43) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=*.mydomain,OU=MyDomain,O=MyCompany,ST=AZ,C=US
* start date: Nov 09 01:39:29 2016 GMT
* expire date: Nov 09 01:39:29 2017 GMT
* common name: *.mydomain
* issuer: CN=my.other.domain.com,OU=MyDomain,O=MyCompany,ST=AZ,C=US
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* Closing connection 0
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
我见过几个案例,人们会抱怨 *.bla 与 bla 不匹配,但这不是我的情况。
我只有疯狂和荒谬的猜测:
- 这可能与发行人处于完全独立的域中有关吗?
- 也许我不允许发出 2 级通配符?(例如 *.ab 可以,但 *.b 不行)
以相同方式为 *.other.domain.com 获得的证书可以正常工作。