如何解决"NSS错误-12276 (SSL_ERROR_BAD_CERT_DOMAIN)“
我只找到了one S.O. Post on the error "NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)。“
我正在CentOS服务器的本地主机上运行一个简单的python应用程序。Python只是一个小助手客户端,它在ManageIQ请求时向外部API发出http请求,这是在这个设备上运行的主要应用程序。
出人意料的是,python应用程序已经停止接受请求。ManageIQ记录以下错误:
Errno::ECONNREFUSED: Failed to open TCP connection to localhost:8080 (Connection refused - connect(2) for "localhost" port 8080)要调试它,我在命令行上运行了一个curl命令:curl --verbose http://localhost/flavors/Linux?name=Basic_A1
产出如下:
* About to connect() to localhost port 80 (#0)
* Trying ::1...
* Connected to localhost (::1) port 80 (#0)
> GET /flavors/Linux?name=Basic_A1 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 11 Nov 2020 16:17:57 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 mod_auth_kerb/5.4
< Location: https://localhost/flavors/Linux?name=Basic_A1
< Content-Length: 229
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://localhost/flavors/Linux?name=Basic_A1">here</a>.</p>
</body></html>
* Connection #0 to host localhost left intact这表明我需要https,所以我尝试了curl --verbose https://localhost/flavors/Linux?name=Basic_A1。
* About to connect() to localhost port 443 (#0)
* Trying ::1...
* Connected to localhost (::1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: E=mike.butak@expeditors.com,CN=miq-dev.chq.ei,OU=IS-Systems Administration,O=Expeditors,C=US
* start date: Aug 24 22:20:01 2020 GMT
* expire date: May 11 22:20:01 2040 GMT
* common name: miq-dev.chq.ei
* issuer: CN=Expeditors Server CA,OU=IS Security,O=Expeditors,C=US
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* Closing connection 0
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.每天大部分时间都在寻找修复方法。这种情况发生在我身上,很容易通过在/etc/pki/ca-trust/source/anchors文件夹中重新安装我们的公司根证书,然后运行update-ca-trust enable和update-ca-trust extract perthis post on serverfault来修复。但今天出于某种原因,它不起作用。
有什么指示吗?谢谢!
回答 1
Stack Overflow用户
发布于 2020-11-11 06:15:52
...请求的域名与服务器的证书不匹配
此错误意味着您已在URL上请求localhost作为域名,但该证书不是为localhost颁发的。这与根CA无关,因此它无助于更新这些内容。相反,这是您用于访问站点的名称与证书中的名称之间的不匹配,因此您需要调整其中之一。
Errno::ECONNREFUSED:未能打开到本地主机的TCP连接:8080(“本地主机”端口8080的连接被拒绝-连接(2))
这是一个完全不同的错误,完全不相关的错误,你得到的卷曲。使用curl,您已经尝试访问本地主机端口443,并在证书中获得了名称不匹配。使用Python,您尝试访问本地主机端口8080,并得到了一个连接错误,因为这个端口最初没有服务器。
https://stackoverflow.com/questions/64777906
复制相似问题
腾讯云开发者
