FYI I found that I had an old entry in /etc/hosts for this target domain to the localhost. In effect it was fetching the (VALID) wildcard cert from my dev server (localhost) instead of reaching out to live server. The wildcard cert on localhost is valid, though, (t1.skywaytheatre.com), so the error still indicates a bug, however this may be considered a special use case i.e. CURL error when destination is localhost and cert is wildcard
Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/2028170 Title: curl 7.81.0-1ubuntu1.11 fails verifying proper ssl cert w/ subj-alt- name Status in curl package in Ubuntu: Invalid Status in curl source package in Focal: Invalid Status in curl source package in Jammy: Fix Released Status in curl source package in Kinetic: Invalid Status in curl source package in Lunar: Invalid Status in curl source package in Mantic: Invalid Bug description: With the latest curl 7.81.0-1ubuntu1.11 on ubuntu 22.04, I'm getting the following: curl -v https://raw.githubusercontent.com * Trying 185.199.108.133:443... * Connected to raw.githubusercontent.com (185.199.108.133) port 443 (#0) [...] * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.io * start date: Feb 21 00:00:00 2023 GMT * expire date: Mar 20 23:59:59 2024 GMT * subjectAltName does not match raw.githubusercontent.com * SSL: no alternative certificate subject name matches target host name 'raw.githubusercontent.com' curl: (60) SSL: no alternative certificate subject name matches target host name 'raw.githubusercontent.com' More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. -- The alt name looks proper when looking at the cert w/ s_client: openssl s_client -connect raw.githubusercontent.com:443 </dev/null 2>/dev/null | openssl x509 -noout -text X509v3 Subject Alternative Name: DNS:*.github.io, DNS:github.io, DNS:*.github.com, DNS:github.com, DNS:www.github.com, DNS:*.githubusercontent.com, DNS:githubusercontent.com Previous versions of curl work as intended. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2028170/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
