I am new to lớn CURL world, coming from Windows + .NET domain name.

Trying to lớn access Rest API for basic authentication at http://www.evercam.io/docs/api/v1/authentication.

curl -X GET https://api.evercam.io/v1/... \
-u {username}

Don't know how to lớn use this command on windows command prompt after having CURL setup successfully. Tested CURL as follows:

C:\>curl --version
curl 7.33.0 (x86_64-pc-win32) libcurl/7.33.0 OpenSSL/0.9.8y zlib/1.2.8 libssh2/1.4.3
Protocols: dict tệp tin ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp s
ftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate Largefile NTLM SSL SSPI libz

Now i am ending with this

C:\>curl -u myuser:mypassword -X GET https://api.evercam.io/v1/
curl: (51) SSL: no alternative certificate subject name matches target host name 'api.evercam.io'

How can I fix this SSL issue 51 error ?

asked Dec 30, 2013 at 15:59

It usually happens when the certificate does not match with the host name.

The solution would be to lớn tương tác the host and ask it to lớn fix its certificate.
Otherwise you can turn off cURL's verification of the certificate, use the -k (or --insecure) option.
Please note that as the option said, it is insecure. You shouldn't use this option because it allows man-in-the-middle attacks and defeats the purpose of HTTPS.

More can be found in here: http://curl.haxx.se/docs/sslcerts.html

miken32

42.7k16 gold badges121 silver badges171 bronze badges

answered Dec 30, 2013 at 16:30

3

Editor's note: this is a very dangerous approach, if you are using a version of PHP old enough to lớn use it. It opens your code to lớn man-in-the-middle attacks and removes one of the primary purposes of an encrypted connection. The ability to lớn vì thế this has been removed from modern versions of PHP because it is so sánh dangerous. The only reason this has been upvoted 70 time is because people are lazy. DO NOT DO THIS.

I know it's a (very) old question and it's about command line, but when I searched Google for "SSL: no alternative certificate subject name matches target host name", this was the first hit.

It took má a good while to lớn figure out the answer so sánh hope this saves someone a lot of time! In PHP add this to lớn your cUrl setopts:

curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);

p.s: this should be a temporary solution. Since this is a certificate error, best thing is to lớn have the certificate fixed ofcourse!

miken32

42.7k16 gold badges121 silver badges171 bronze badges

answered Feb 29, năm nhâm thìn at 17:04

4

The common name in the certicate for api.evercam.io is for *.herokuapp.com and there are no alternative subject names in the certificate. This means, that the certificate for api.evercam.io does not match the hostname and therefore the certificate verification fails. Same as true for www.evercam.io, e.g. try https://www.evercam.io with a browser and you get the error message, that the name in the certificate does not match the hostname.

So it is a problem which needs to lớn be fixed by evercam.io. If you don't care about security, man-in-the-middle attacks etc you might disable verification of the certificate (curl --insecure), but then you should ask yourself why you use https instead of http at all.

answered Dec 30, 2013 at 16:30

it might save some time to lớn somebody.

If you use GuzzleHttp and you face with this error message cURL error 60: SSL: no alternative certificate subject name matches target host name and you are fine with the 'insecure' solution (not recommended on production) then you have to lớn add \GuzzleHttp\RequestOptions::VERIFY => false to lớn the client configuration:

$this->client = new \GuzzleHttp\Client([
    'base_uri'                          => 'someAccessPoint',
    \GuzzleHttp\RequestOptions::HEADERS => [
        'User-Agent' => 'some-special-agent',
    ],
    'defaults'                          => [
        \GuzzleHttp\RequestOptions::CONNECT_TIMEOUT => 5,
        \GuzzleHttp\RequestOptions::ALLOW_REDIRECTS => true,
    ],
    \GuzzleHttp\RequestOptions::VERIFY  => false,
]);

which sets CURLOPT_SSL_VERIFYHOST to lớn 0 and CURLOPT_SSL_VERIFYPEER to lớn false in the CurlFactory::applyHandlerOptions() method

$conf[CURLOPT_SSL_VERIFYHOST] = 0;
$conf[CURLOPT_SSL_VERIFYPEER] = false;

From the GuzzleHttp documentation

verify

Describes the SSL certificate verification behavior of a request.

  • Set to lớn true to lớn enable SSL certificate verification and use the mặc định CA bundle > provided by operating system.
  • Set to lớn false to lớn disable certificate verification (this is insecure!).
  • Set to lớn a string to lớn provide the path to lớn a CA bundle to lớn enable verification using a custom certificate.

answered May 10, 2019 at 14:34

I had the same issue. In my case I was using digitalocean and nginx.
I have first setup a domain name example.phầm mềm and a subdomain dev.exemple.phầm mềm in digitalocean. Second,I purchased two ssl certificat from godaddy. And finaly, I configured two domain name in nginx to lớn use those two ssl certificat with the following snipet

My example.phầm mềm domain name config 

    server {
    listen 7000 default_server;
    listen [::]:7000 default_server;

     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;

    root /srv/nodejs/echantillonnage1;

    # Add index.php to lớn the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name echantillonnage.app;
    ssl_certificate /srv/nodejs/certificatSsl/widcardcertificate/echantillonnage.app.chained.crt;
    ssl_certificate_key /srv/nodejs/certificatSsl/widcardcertificate/echantillonnage.app.key;

    location / {
            # First attempt to lớn serve request as tệp tin, then
            # as directory, then fall back to lớn displaying a 404.
            proxy_pass http://127.0.0.1:8090;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
    #try_files $uri $uri/ =404;
    }
 }

My dev.example.app

   server {
    listen 7000 default_server;
    listen [::]:7000 default_server;

     listen 444 ssl default_server;
     listen [::]:444 ssl default_server;

    root /srv/nodejs/echantillonnage1;

    # Add index.php to lớn the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name dev.echantillonnage.app;
    ssl_certificate /srv/nodejs/certificatSsl/dev/dev.echantillonnage.app.chained.crt;
    ssl_certificate_key /srv/nodejs/certificatSsl/dev/dev.echantillonnage.app.key;

    location / {
            # First attempt to lớn serve request as tệp tin, then
            # as directory, then fall back to lớn displaying a 404.
            proxy_pass http://127.0.0.1:8091;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
    #try_files $uri $uri/ =404;
    }
 }

When I was launching https://dev.echantillonnage.phầm mềm , I was getting 

    Fix CURL (51) SSL error: no alternative certificate subject name matches

My mistake was the two lines bellow

    listen 444 ssl default_server;
     listen [::]:444 ssl default_server;

I had to lớn change this to:

     listen 443 ssl;
     listen [::]:443 ssl;

answered May 2, 2019 at 4:17

1

As the error code says, "no alternative certificate subject name matches target host name" - so sánh there is an issue with the SSL certificate.

The certificate should include SAN, and only SAN will be used. Some browsers ignore the deprecated Common Name.

RFC 2818 clearly states "If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to lớn use the dNSName instead."

answered Mar 26, 2019 at 9:17

I did something similar but for the purpose of testing, I had added the main domain name name to lớn my /etc/hosts tệp tin and kept struggling with it. So make sure you kiểm tra that tệp tin once as well.

starball

48k28 gold badges183 silver badges842 bronze badges

answered May 2, 2023 at 8:47

I used to lớn have the error when CN=example.ex but "Alternative Name" section missed example.ex
Just add example.ex to lớn "Alternative Name"