I am new to tướng CURL world, coming from Windows + .NET domain name.

Trying to tướng access Rest API for basic authentication at http://www.evercam.io/docs/api/v1/authentication.

curl -X GET https://api.evercam.io/v1/... \
-u {username}

Don't know how to tướng use this command on windows command prompt after having CURL setup successfully. Tested CURL as follows:

C:\>curl --version
curl 7.33.0 (x86_64-pc-win32) libcurl/7.33.0 OpenSSL/0.9.8y zlib/1.2.8 libssh2/1.4.3
Protocols: dict tệp tin ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp s
ftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate Largefile NTLM SSL SSPI libz

Now i am ending with this

C:\>curl -u myuser:mypassword -X GET https://api.evercam.io/v1/
curl: (51) SSL: no alternative certificate subject name matches target host name 'api.evercam.io'

How can I fix this SSL issue 51 error ?

asked Dec 30, 2013 at 15:59

It usually happens when the certificate does not match with the host name.

The solution would be to tướng liên hệ the host and ask it to tướng fix its certificate.
Otherwise you can turn off cURL's verification of the certificate, use the -k (or --insecure) option.
Please note that as the option said, it is insecure. You shouldn't use this option because it allows man-in-the-middle attacks and defeats the purpose of HTTPS.

More can be found in here: http://curl.haxx.se/docs/sslcerts.html

miken32

42.7k16 gold badges121 silver badges170 bronze badges

answered Dec 30, 2013 at 16:30

3

Editor's note: this is a very dangerous approach, if you are using a version of PHP old enough to tướng use it. It opens your code to tướng man-in-the-middle attacks and removes one of the primary purposes of an encrypted connection. The ability to tướng bởi this has been removed from modern versions of PHP because it is sánh dangerous. The only reason this has been upvoted 70 time is because people are lazy. DO NOT DO THIS.


I know it's a (very) old question and it's about command line, but when I searched Google for "SSL: no alternative certificate subject name matches target host name", this was the first hit.

It took bu a good while to tướng figure out the answer sánh hope this saves someone a lot of time! In PHP add this to tướng your cUrl setopts:

curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);

p.s: this should be a temporary solution. Since this is a certificate error, best thing is to tướng have the certificate fixed ofcourse!

miken32

42.7k16 gold badges121 silver badges170 bronze badges

answered Feb 29, năm 2016 at 17:04

4

The common name in the certicate for api.evercam.io is for *.herokuapp.com and there are no alternative subject names in the certificate. This means, that the certificate for api.evercam.io does not match the hostname and therefore the certificate verification fails. Same as true for www.evercam.io, e.g. try https://www.evercam.io with a browser and you get the error message, that the name in the certificate does not match the hostname.

So it is a problem which needs to tướng be fixed by evercam.io. If you don't care about security, man-in-the-middle attacks etc you might disable verification of the certificate (curl --insecure), but then you should ask yourself why you use https instead of http at all.

answered Dec 30, 2013 at 16:30

it might save some time to tướng somebody.

If you use GuzzleHttp and you face with this error message cURL error 60: SSL: no alternative certificate subject name matches target host name and you are fine with the 'insecure' solution (not recommended on production) then you have to tướng add \GuzzleHttp\RequestOptions::VERIFY => false to tướng the client configuration:

$this->client = new \GuzzleHttp\Client([
    'base_uri'                          => 'someAccessPoint',
    \GuzzleHttp\RequestOptions::HEADERS => [
        'User-Agent' => 'some-special-agent',
    ],
    'defaults'                          => [
        \GuzzleHttp\RequestOptions::CONNECT_TIMEOUT => 5,
        \GuzzleHttp\RequestOptions::ALLOW_REDIRECTS => true,
    ],
    \GuzzleHttp\RequestOptions::VERIFY  => false,
]);

which sets CURLOPT_SSL_VERIFYHOST to tướng 0 and CURLOPT_SSL_VERIFYPEER to tướng false in the CurlFactory::applyHandlerOptions() method

$conf[CURLOPT_SSL_VERIFYHOST] = 0;
$conf[CURLOPT_SSL_VERIFYPEER] = false;

From the GuzzleHttp documentation

verify

Describes the SSL certificate verification behavior of a request.

  • Set to tướng true to tướng enable SSL certificate verification and use the mặc định CA bundle > provided by operating system.
  • Set to tướng false to tướng disable certificate verification (this is insecure!).
  • Set to tướng a string to tướng provide the path to tướng a CA bundle to tướng enable verification using a custom certificate.

answered May 10, 2019 at 14:34

I had the same issue. In my case I was using digitalocean and nginx.
I have first setup a domain name example.ứng dụng and a subdomain dev.exemple.ứng dụng in digitalocean. Second,I purchased two ssl certificat from godaddy. And finaly, I configured two domain name in nginx to tướng use those two ssl certificat with the following snipet

My example.ứng dụng domain name config

    server {
    listen 7000 default_server;
    listen [::]:7000 default_server;

     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;

    root /srv/nodejs/echantillonnage1;

    # Add index.php to tướng the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name echantillonnage.app;
    ssl_certificate /srv/nodejs/certificatSsl/widcardcertificate/echantillonnage.app.chained.crt;
    ssl_certificate_key /srv/nodejs/certificatSsl/widcardcertificate/echantillonnage.app.key;

    location / {
            # First attempt to tướng serve request as tệp tin, then
            # as directory, then fall back to tướng displaying a 404.
            proxy_pass http://127.0.0.1:8090;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
    #try_files $uri $uri/ =404;
    }
 }

My dev.example.app

   server {
    listen 7000 default_server;
    listen [::]:7000 default_server;

     listen 444 ssl default_server;
     listen [::]:444 ssl default_server;

    root /srv/nodejs/echantillonnage1;

    # Add index.php to tướng the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name dev.echantillonnage.app;
    ssl_certificate /srv/nodejs/certificatSsl/dev/dev.echantillonnage.app.chained.crt;
    ssl_certificate_key /srv/nodejs/certificatSsl/dev/dev.echantillonnage.app.key;

    location / {
            # First attempt to tướng serve request as tệp tin, then
            # as directory, then fall back to tướng displaying a 404.
            proxy_pass http://127.0.0.1:8091;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
    #try_files $uri $uri/ =404;
    }
 }

When I was launching https://dev.echantillonnage.ứng dụng , I was getting

    Fix CURL (51) SSL error: no alternative certificate subject name matches

My mistake was the two lines bellow

    listen 444 ssl default_server;
     listen [::]:444 ssl default_server;

I had to tướng change this to:

     listen 443 ssl;
     listen [::]:443 ssl;

answered May 2, 2019 at 4:17

1

As the error code says, "no alternative certificate subject name matches target host name" - sánh there is an issue with the SSL certificate.

The certificate should include SAN, and only SAN will be used. Some browsers ignore the deprecated Common Name.

RFC 2818 clearly states "If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to tướng use the dNSName instead."

answered Mar 26, 2019 at 9:17

I did something similar but for the purpose of testing, I had added the main domain name name to tướng my /etc/hosts tệp tin and kept struggling with it. So make sure you kiểm tra that tệp tin once as well.

starball

47.9k28 gold badges182 silver badges839 bronze badges

answered May 2, 2023 at 8:47

I used to tướng have the error when CN=example.ex but "Alternative Name" section missed example.ex
Just add example.ex to tướng "Alternative Name"