pages: curl: (60) SSL: no alternative certificate subject name matches target hostname #1982

Crocmagnon commented 2025年06月12日 22:32:43 +02:00

Comment

Hello,
Is Codeberg pages having issues?

I had setup a site with custom domain at doses.augendre.info ; it worked fine and when checking tonight I see TLS issues.

$ dig doses.augendre.info +short
master.doses.crocmagnon.codeberg.page.
217.197.84.141

$ curl -v https://doses.augendre.info
* Host doses.augendre.info:443 was resolved.
* IPv6: 2a0a:4580:103f:c0de::2
* IPv4: 217.197.84.141
* Trying [2a0a:4580:103f:c0de::2]:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.codeberg.page
* start date: May 11 17:54:35 2025 GMT
* expire date: Aug 9 17:54:34 2025 GMT
* subjectAltName does not match hostname doses.augendre.info
* SSL: no alternative certificate subject name matches target hostname 'doses.augendre.info'
* closing connection #0
curl: (60) SSL: no alternative certificate subject name matches target hostname 'doses.augendre.info'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

### Comment Hello, Is Codeberg pages having issues? I had setup a site with custom domain at `doses.augendre.info` ; it worked fine and when checking tonight I see TLS issues. ```console $ dig doses.augendre.info +short master.doses.crocmagnon.codeberg.page. 217.197.84.141 ``` ```console $ curl -v https://doses.augendre.info * Host doses.augendre.info:443 was resolved. * IPv6: 2a0a:4580:103f:c0de::2 * IPv4: 217.197.84.141 * Trying [2a0a:4580:103f:c0de::2]:443... * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem * CApath: none * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / RSASSA-PSS * ALPN: server accepted h2 * Server certificate: * subject: CN=*.codeberg.page * start date: May 11 17:54:35 2025 GMT * expire date: Aug 9 17:54:34 2025 GMT * subjectAltName does not match hostname doses.augendre.info * SSL: no alternative certificate subject name matches target hostname 'doses.augendre.info' * closing connection #0 curl: (60) SSL: no alternative certificate subject name matches target hostname 'doses.augendre.info' More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the webpage mentioned above. ```

Crocmagnon commented 2025年06月12日 22:34:58 +02:00

Hm looks like it's already back online.
It's been like this for ~20 min, if that helps.

Now I'm waiting for my second pages website to come up at go.augendre.info.
Just out of curiosity, is there a way to check whether the certificate and TLS is config is ready before setting up the domain name? It would help reduce downtime when migrating from, say, GitHub pages. Or maybe setting up the domain is required to start the TLS delivery? The docs aren't very clear on this.

Hm looks like it's already back online. It's been like this for ~20 min, if that helps. Now I'm waiting for my second pages website to come up at `go.augendre.info`. Just out of curiosity, is there a way to check whether the certificate and TLS is config is ready before setting up the domain name? It would help reduce downtime when migrating from, say, GitHub pages. Or maybe setting up the domain is required to start the TLS delivery? The docs aren't very clear on this.

Crocmagnon commented 2025年06月12日 22:52:03 +02:00

I've been getting this error since 22h32 Europe/Paris (20mins ago)

$ curl -v https://go.augendre.info
* Host go.augendre.info:443 was resolved.
* IPv6: 2a0a:4580:103f:c0de::2
* IPv4: 217.197.84.141
* Trying [2a0a:4580:103f:c0de::2]:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
* CApath: none
* TLSv1.3 (IN), TLS alert, internal error (592):
* TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error
* closing connection #0
curl: (35) TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error

Repo: https://codeberg.org/Crocmagnon/go_augendre_info
.domains file: https://codeberg.org/Crocmagnon/go_augendre_info/src/branch/main/.domains

$ dig go.augendre.info +short
master.go_augendre_info.crocmagnon.codeberg.page.
217.197.84.141

I've been getting this error since 22h32 Europe/Paris (20mins ago) ```console $ curl -v https://go.augendre.info * Host go.augendre.info:443 was resolved. * IPv6: 2a0a:4580:103f:c0de::2 * IPv4: 217.197.84.141 * Trying [2a0a:4580:103f:c0de::2]:443... * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem * CApath: none * TLSv1.3 (IN), TLS alert, internal error (592): * TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error * closing connection #0 curl: (35) TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error ``` Repo: https://codeberg.org/Crocmagnon/go_augendre_info .domains file: https://codeberg.org/Crocmagnon/go_augendre_info/src/branch/main/.domains ```console $ dig go.augendre.info +short master.go_augendre_info.crocmagnon.codeberg.page. 217.197.84.141 ```

Crocmagnon commented 2025年06月13日 00:17:23 +02:00

Still the same error, I rolled the domain back to github pages pending help.

Still the same error, I rolled the domain back to github pages pending help.

Crocmagnon commented 2025年06月14日 00:27:30 +02:00

Retried tonight, same error for ~30min, rolled back domain again.

Retried tonight, same error for ~30min, rolled back domain again.

Gusted commented 2025年06月14日 16:00:10 +02:00

It currently seems to work for me?

dig doses.augendre.info +short
master.doses.crocmagnon.codeberg.page.
217.197.84.141

curl -v doses.augendre.info 
* Host doses.augendre.info:80 was resolved.
* IPv6: 2a0a:4580:103f:c0de::2
* IPv4: 217.197.84.141
* Trying [2a0a:4580:103f:c0de::2]:80...
* Immediate connect fail for 2a0a:4580:103f:c0de::2: Network is unreachable
* Trying 217.197.84.141:80...
* Connected to doses.augendre.info (217.197.84.141) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: doses.augendre.info
> User-Agent: curl/8.14.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 302 Found
< content-length: 0
< location: https://doses.augendre.info/
< cache-control: no-cache
< 
* Connection #0 to host doses.augendre.info left intact

It currently seems to work for me? ``` dig doses.augendre.info +short master.doses.crocmagnon.codeberg.page. 217.197.84.141 ``` ``` curl -v doses.augendre.info * Host doses.augendre.info:80 was resolved. * IPv6: 2a0a:4580:103f:c0de::2 * IPv4: 217.197.84.141 * Trying [2a0a:4580:103f:c0de::2]:80... * Immediate connect fail for 2a0a:4580:103f:c0de::2: Network is unreachable * Trying 217.197.84.141:80... * Connected to doses.augendre.info (217.197.84.141) port 80 * using HTTP/1.x > GET / HTTP/1.1 > Host: doses.augendre.info > User-Agent: curl/8.14.1 > Accept: */* > * Request completely sent off < HTTP/1.1 302 Found < content-length: 0 < location: https://doses.augendre.info/ < cache-control: no-cache < * Connection #0 to host doses.augendre.info left intact ```

Crocmagnon commented 2025年06月14日 20:31:07 +02:00

@Gusted doses.augendre.info works, but I’ve been unable to make go.augendre.info work.

See #1982 (comment) and following.

@Gusted doses.augendre.info works, but I’ve been unable to make go.augendre.info work. See https://codeberg.org/Codeberg/Community/issues/1982#issuecomment-5109339 and following.

Crocmagnon commented 2025年06月15日 10:45:33 +02:00

I've managed to get it working by deleting the repo and recreating it without the domain file, moving the DNS record, then adding the domains file.
I suspect a few things:
The repo initially had dots in place of underscores, I renamed it before trying to enable pages but it may have leaked somehow
The repo doesn't have a master branch, it has a main branch. I did not document it here, but I tried with and without the branch name in the DNS record. Maybe there was some kind of memory here as well.

Anyway, it works fine now :)

I've managed to get it working by deleting the repo and recreating it without the domain file, moving the DNS record, then adding the domains file. I suspect a few things: The repo initially had dots in place of underscores, I renamed it before trying to enable pages but it may have leaked somehow The repo doesn't have a master branch, it has a main branch. I did not document it here, but I tried with and without the branch name in the DNS record. Maybe there was some kind of memory here as well. Anyway, it works fine now :)