Curl can't verify SSL certificate, but browser can

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://pterodactyl.trixyservers.com

I ran this command: curl https://pterodactyl.trixyservers.com:8443

It produced this output:
curl: (60) SSL: no alternative certificate subject name matches target host name 'pterodactyl.trixyservers.com'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

My web server is (include version): Apache 2.4.38

The operating system my web server runs on is (include version): Deepin 20.2 (based on Debian)

My hosting provider, if applicable, is: ionos.com is my domain provider, if that's what this means

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, unless pterodactyl counts

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.14.0

2 Likes

The certificate returned is only valid for node1.trixyservers.com. You should install the proper certificate for the proper virtualhost.

2 Likes

More specifically, just in case it wasn't clear from the circumstances and what Osiris wrote:

You have a server on port 443 serving https://pterodactyl.trixyservers.com/ and that's fine and it has a certificate which proves it is pterodactyl.trixyservers.com however on port 8443 you've got another server (likely an Apache virtual host) which presents instead this certificate for node1.trixyservers.com

Maybe the situation is that the port 8443 service is only intended to be named node1.trixyservers.com, in which case things are more or less working and you just need to call it node1.trixyservers.com to get things working as you expected. e.g. curl https://node1.trixyservers.com:8443/

Or maybe the situation is that you need different Apache virtual host settings to get what you wanted. We can't tell from here.

2 Likes

Everything is running on the same system, and each domain has a cert, and one of my programs can't verify the certificate either, so it can't run and I have no idea how to fix it

1 Like

Forgive me if I sound a little ignorant, but I think I get what you mean

Still confused though

1 Like

So "curl https://pterodactyl.trixyservers.com" works, but adding :8443 doesn't work, and https://node1.trixyservers.com:8443 doesn't work at all, also, even though i have ssl certs set up for all 3 sites, only pterodactyl.trixyservers.com has ssl? im so confused

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

I'll try to help make things clearer.

You can use the following to track what certs have been issued for trixyservers.com:

https://crt.sh/

In your apache configuration, you need to look at the VirtualHosts defined in your configuration files. Specifically you need to look at which ServerName and (maybe) ServerAlias is/are defined within each VirtualHost along with which SSL certificate and key is defined within that VirtualHost. You're pairing the host (ServerName/ServerAlias) with the certificate and its key. Be aware of the port number associated with each VirtualHost (something like *:443).

You should begin by identifying which configuration files are active with:

sudo apachectl -S

You can use the following to identify which certificates you have available:

sudo certbot certificates

That command will help you match the certificate names to a part of the directory listed next to the SSL certificate and key directives in your apache VirtualHosts. This will let you know what domain names are covered by each named certificate and the path to the appropriate fullchain and privkey files for that certificate.

Everything looks valid to me, but still only one of the sites seems to have SSL despite the others being set up correctly (all by certbot). Is it because I'm running it on only one apache server?