Which certificate to choose in order to verify http server ?
ping mydomain.com :
ping www.mydomain.com
PING www.mydomain.com (11.22.33.44) 56(84) bytes of data.
64 bytes from 11.22.33.44: icmp_seq=1 ttl=48 time=126 ms
To create certificate with acme:
acme.sh --issue --dns dns_cf -d mydomain.com --force --server letsencrypt
Check the result:
ls mydomain.dom
backup ca.cer fullchain.cer mydomain.com.cer mydomain.com.conf mydomain.com.csr mydomain.com.csr.conf mydomain.com.key
sudo cp /root/.acme.sh/mydomain.com/mydomain.com.crt /etc/ssl/certs/mysql_server.crt
sudo cp /root/.acme.sh/mydomain.com/mydomain.com.key /etc/ssl/certs/mysql_server.key
Setting in http server-apache2(in debian):
vim /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
DocumentRoot /var/www/html
ServerName mydomain.com
SSLEngine on
SSLProtocol all -sslv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "/etc/ssl/certs/mysql_server.crt"
SSLCertificateKeyFile "/etc/ssl/certs/mysql_server.key"
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/html">
AllowOverride All
SSLOptions +StdEnvVars
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:444>
DocumentRoot /var/www/html
ServerName mydomain.com
SSLEngine on
SSLProtocol all -sslv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "/etc/ssl/certs/mysql_server.crt"
SSLCertificateKeyFile "/etc/ssl/certs/mysql_server.key"
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/html">
AllowOverride All
SSLOptions +StdEnvVars
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Show the index.html in /var/www/html:
vim /var/www/html/index.html
<p>
you are welcome
</p>
scp all files in /root/.acme.sh/mydomain.com into local's /tmp.
scp -r root@11.22.33.44:/root/.acme.sh/mydomain.com /tmp
Type https://www.mydomain.com in browser:
Now check the verification without certificate:
curl -k https://www.mydomain.com
<p>
your are welcome!
</p>
Now check the verification with certificate:
curl -v --cacert mydomain.com.cer https://www.mydomain.com
* Trying 11.22.33.44..
* Connected to www.mydomain.com (11.22.33.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: mydomain.com.cer
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=mydomain.com
* start date: Apr 20 05:24:22 2022 GMT
* expire date: Jul 19 05:24:21 2022 GMT
* subjectAltName does not match www.mydomain.com
* SSL: no alternative certificate subject name matches target host name 'www.mydomain.com'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'www.mydomain.com'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
curl -v --cacert fullchain.cer https://www.mydomain.com
* Trying 11.22.33.44:443...
* Connected to www.mydomain.com (11.22.33.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: fullchain.cer
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=mydomain.com
* start date: Apr 20 05:24:22 2022 GMT
* expire date: Jul 19 05:24:21 2022 GMT
* subjectAltName does not match www.mydomain.com
* SSL: no alternative certificate subject name matches target host name 'www.mydomain.com'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'www.mydomain.com'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
curl -v --cacert ca.cer https://www.mydomain.com
* Trying 11.22.33.44:443...
* Connected to www.mydomain.com (11.22.33.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: ca.cer
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=mydomain.com
* start date: Apr 20 05:24:22 2022 GMT
* expire date: Jul 19 05:24:21 2022 GMT
* subjectAltName does not match www.mydomain.com
* SSL: no alternative certificate subject name matches target host name 'www.mydomain.com'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'www.mydomain.com'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
curl -v --cacert /etc/ssl/certs/ISRG_Root_X1.pem https://www.mydomain.com
* Trying 11.22.33.44:443...
* Connected to www.mydomain.com (11.22.33.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ISRG_Root_X1.pem
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Which certificate to choose in order to verify http server ?