Join Log in
Score:0
Alex Zoller avatar Server

Odd TLS Error when using curl on origin server x.509

in flag
Alex Zoller

I am hoping someone can help explain what is happening in this situation..

As of now, I have a domain from google domains and I am using cloudflare for my DNS management. I am not using any TLS/SSL features from cloudflare, universal SSL is off, and not proxying my DNS requests either. I use caddy as my reverse proxy on my server and I am using the built-in acme client that gets certificates from letsencrypt. I am getting certificates fine and my external sites are all showing the cert being used which is the cert located on my server. However, when I run a curl command on my server over HTTPS, I get this strange behaviour:

To explain more, I am trying to send a curl request to my gotify server/instance. Here is the output when I use the gotify cli command gotify init then I type in my domain with https:// and receive this output (this happens for all of my domains (when I run the basic curl commands below after the gotify command), but just using gotify cli as an example of where the error originates from):

x509: certificate is not valid for any names, but wanted to match gotify.mydomain.com

So, I run these curl commands to figure out what is happening.

Command: curl -v https://gotify.mydomain.com Output:

* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

My CApath literally has all of the certs from the ca-certificates package. And my external sites are using my cert, but my server is having issues and I don't know why.

When I run this command curl -v --insecure https://gotify.mydomain.com I get even stranger results: Output:

* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=CN; ST=TW; L=TB; O=ASKEY; OU=ROUTER; CN=askey.com; [email protected]
*  start date: Jan  8 18:43:23 2022 GMT
*  expire date: Jan  7 18:43:23 2025 GMT
*  issuer: C=CN; ST=TW; L=TB; O=ASKEY; OU=ROUTER; CN=askey.com; [email protected]
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: gotify.mydomain.com
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Location: /1.2.4/login.html
< Content-Length: 0
< Date: Sun, 24 Apr 2022 13:51:04 GMT
< Server: lighttpd/1.4.38
<
* Connection #0 to host gotify.mydomain.com left intact

Have absolutely no idea where this "askey" cert even came from. It is nowhere located on my server AFAIK. I am beyond confused. I am located in Taiwan, so the TW code might make a little sense. I didn't even have access to my server remotely on Jan 8th, so I don't know what happened.

When I see this Location: /1.2.4/login.html this makes me think something is going on with my router. Because that is the path for my router admin login page.

65
0 + 0
ssl
anx avatar
fr flag
anx
It is somewhat common for wireless hotspots to [force you to complete some action](https://en.wikipedia.org/wiki/Captive_portal) by meddling with any and all your connections until you comply. Your [browser might know](http://detectportal.firefox.com/canonical.html) how to automatically deal with this.
0
Reply
Steffen Ullrich avatar
se flag
Steffen Ullrich
Askey is a taiwanese producer of routers. What you show indicates a [captive portal](https://en.wikipedia.org/wiki/Captive_portal) of such a router which you need to pass before you can access the internet.
0
Reply
Alex Zoller avatar
in flag
Alex Zoller
But I am confused, my origin sever is located in the US. The error should have nothing to do with my client connections right? I just SSH into my machine and run these commands. I will look into the captive portal I suppose
0
Reply
Alex Zoller avatar
in flag
Alex Zoller
I understand what is happening now. Basically, I am trying to access my external/public IP (through my domain that points to my external IP/route) internally on the same network where my server is, which won't work afaik. I will need to setup dnsmasq or something to do the rewriting.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.