SSL错误证书主题名称与github.com的目标主机不匹配

Question

我试图使用git fetch访问github的存储库但我收到此错误：

error: SSL: certificate subject name (*.opendns.com) does not match target host name 'github.com' while accessing https://github.com/<repo name>

这突然发生在今天下午早些时候，它并没有消失。我认为Github拒绝旧版本的OpenSSL可能会出现问题。

我正在运行Ubuntu 11.04（Natty Narwhal），Git 1.7.4.1和 openssl version -a给出了这个：

OpenSSL 0.9.8o 01 Jun 2010
built on: Tue May 22 23:20:32 UTC 2012
platform: debian-i386
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -
DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall
OPENSSLDIR: "/usr/lib/ssl"

任何帮助将不胜感激！

更新5/1/2014：

结束更新Ubuntu以解决此问题。在某处读取这是最安全的解决方案，因为我的本地计算机和Github的服务器将尽可能彼此保持最新。

Answer 1

您需要修改/etc/resolv.conf文件并删除/替换对OpenDNS服务器的任何引用。这就是我对我的/etc/resolv.conf所做的

在/etc/resolv.conf中，替换

#OpenDNS
nameserver 208.67.222.222
nameserver 208.67.220.220

到

#Google
nameserver 8.8.8.8
nameserver 8.8.4.4

如果这样可以解决您的SSL问题，请告诉我。

Answer 2

只需使用：

&words[2][1]

在你的卷曲电话中

Answer 3

这可能更多是评论，但它不适合评论栏。要测试您的SSL / TLS连接：

首先，转到DigiCert Trusted Root Authority Certificates并下载＆＃34; DigiCert SHA2扩展验证服务器CA＆＃34;。文件名为DigiCertSHA2ExtendedValidationServerCA.crt。

其次，将DER转换为PEM：

$ openssl x509 -inform DER -in DigiCertSHA2ExtendedValidationServerCA.crt
          -outform PEM -out DigiCert-CA.pem

第三，使用OpenSSL的s_client来验证连接：

openssl s_client -connect github.com:443 -tls1 -servername github.com
        -CAfile DigiCert-CA.pem -ign_eof

需要注意的是最后的验证结果：

Verify return code: 0 (ok)

我收到了错误请求。我怀疑是因为我要求提供根文件。你应该插入你的特定细节。

最后，验证主机名。 1.0.2 之前的OpenSSL不会执行主机名验证，因此您可以跳过额外的环节：

$ openssl s_client -connect github.com:443 -tls1 -servername github.com
          -CAfile DigiCert-CA.pem | openssl x509 -noout -text | grep "DNS:"
...
    DNS:github.com, DNS:www.github.com

我能说的最好，从我对世界的看法来看，SSL / TLS部分没有问题。看起来问题在于git。

您可以使用nslookup检查DNS，但我不确定您会发现有用的内容：

$ nslookup
> set q=a
> github.com
Server:     172.16.1.10
Address:    172.16.1.10#53

Non-authoritative answer:
Name:   github.com
Address: 192.30.252.129

---

$ echo "GET / HTTP/1.0\r\n" | openssl s_client -connect github.com:443 -tls1 -servername github.com -CAfile DigiCert-CA.pem -ign_eof
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 5157550, street = 548 4th Street, postalCode = 94107, C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com
verify return:1
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF4DCCBMigAwIBAgIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE0MDQwODAwMDAwMFoXDTE2MDQxMjEy
MDAwMFowgfAxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
Ewc1MTU3NTUwMRcwFQYDVQQJEw41NDggNHRoIFN0cmVldDEOMAwGA1UEERMFOTQx
MDcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdp
dGh1Yi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx1Nw8r/3z
Tu3BZ63myyLot+KrKPL33GJwCNEMr9YWaiGwNksXDTZjBK6/6iBRlWVm8r+5TaQM
Kev1FbHoNbNwEJTVG1m0Jg/Wg1dZneF8Cd3gE8pNb0Obzc+HOhWnhd1mg+2TDP4r
bTgceYiQz61YGC1R0cKj8keMbzgJubjvTJMLy4OUh+rgo7XZe5trD0P5yu6ADSin
dvEl9ME1PPZ0rd5qM4J73P1LdqfC7vJqv6kkpl/nLnwO28N0c/p+xtjPYOs2ViG2
wYq4JIJNeCS66R2hiqeHvmYlab++O3JuT+DkhSUIsZGJuNZ0ZXabLE9iH6H6Or6c
JL+fyrDFwGeNAgMBAAGjggHuMIIB6jAfBgNVHSMEGDAWgBQ901Cl1qCt7vNKYApl
0yHU+PjWDzAdBgNVHQ4EFgQUakOQfTuYFHJSlTqqKApD+FF+06YwJQYDVR0RBB4w
HIIKZ2l0aHViLmNvbYIOd3d3LmdpdGh1Yi5jb20wDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5o
dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1ldi1zZXJ2ZXItZzEuY3JsMDSg
MqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1ldi1zZXJ2ZXItZzEu
Y3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBz
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgYgGCCsGAQUFBwEBBHwwejAkBggrBgEF
BQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFIGCCsGAQUFBzAChkZodHRw
Oi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyRXh0ZW5kZWRWYWxp
ZGF0aW9uU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQAD
ggEBAG/nbcuC8++QhwnXDxUiLIz+06scipbbXRJd0XjAMbD/RciJ9wiYUhcfTEsg
ZGpt21DXEL5+q/4vgNipSlhBaYFyGQiDm5IQTmIte0ZwQ26jUxMf4pOmI1v3kj43
FHU7uUskQS6lPUgND5nqHkKXxv6V2qtHmssrA9YNQMEK93ga2rWDpK21mUkgLviT
PB5sPdE7IzprOCp+Ynpf3RcFddAkXb6NqJoQRPrStMrv19C1dqUmJRwIQdhkkqev
ff6IQDlhC8BIMKmCNK33cEYDfDWROtW7JNgBvBTwww8jO1gyug8SbGZ6bZ3k8OV8
XX4C2NesiZcLYbc2n7B9O+63M2k=
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3243 bytes and written 379 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: 9364E0346A77ABA5087FEEDA3C59443B1C672B6F553AB7183B9F48C2D3DE34CB
    Session-ID-ctx: 
    Master-Key: 8B055C9CED9F517F7F3B1B49A4B517D478532503B3BB254BE4F11A2BD6445BE14444115797450604C6D6F17D169AA030
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1398213115
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
HTTP/1.0 400 Bad request
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.
</body></html>
closed

Answer 4

我已经使用OpenDNS很长时间了，它一直运行到今天。我发现SSL和＆amp; github如第一篇文章所述。

我临时用GoogleDNS替换了OpenDNS服务器，github工作正常。这将SSL问题隔离到OpenDNS ......

顺便说一下，我观察到Ubuntu 12.04＆amp; Debian 7.4，所以它与11.04无关。 Ubuntu 14.04工作得很好......

Ubuntu 12.04.4： openssl s_client -connect github.com:443 -tls1 -servername github.com 报告：验证返回代码：20（无法获得本地颁发者证书）

命令 host -t a github.com 从地址192.30.252.128,192.30.252.129,192.30.252.130或192.30.252.131返回一个。我没有看到github行为的差异（使用OpenDNS解析器）。

在Ubuntu 12.04.4上

wget 无法下载证书，很奇怪：

$ wget -d https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
DEBUG output created by Wget 1.13.4 on linux-gnu.

URI encoding = `UTF-8'
--2014-04-24 10:57:05--  https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
Resolving www.digicert.com (www.digicert.com)... ::ffff:67.215.65.132, 64.78.193.234
Caching www.digicert.com => ::ffff:67.215.65.132 64.78.193.234
Connecting to www.digicert.com (www.digicert.com)|::ffff:67.215.65.132|:443... connected.
Created socket 3.
Releasing 0x099f77d8 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x099f7968
certificate:
  subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
  issuer:  /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
ERROR: no certificate subject alternative name matches
    requested host name `www.digicert.com'.
To connect to www.digicert.com insecurely, use `--no-check-certificate'.
Closed 3/SSL 0x099f7968

Answer 5

要回答有关覆盖/etc/resolv.conf的评论，您需要使用resolveconf工具。

删除在设置

中输入的resolveconf信息

$ sudo resolvconf -d eth0.inet

添加本地主机信息

$ sudo vim /etc/resolvconf/resolv.conf.d/base

添加：

nameserver 8.8.8.8

更新resolvconf

$ sudo resolvconf -u

验证resolveconf

$ cat /etc/resolv.conf

看起来应该类似于：

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8

Answer 6

你的传球可能没有ssl证书 只需尝试http://yourdomain.com而不是https://yourdomain.com

它对我有用

Answer 7

IMO，您正在使用一些免费的无线网络，需要网络登录。 免费的WiFi身份验证可能已过期。

登录站点正在使用DDN将您的请求重定向到opendns.com。

您需要做的只是在网络浏览器中打开任何网站并完成身份验证。

Answer 8

我认为此错误是由于证书过期引起的。 （或者，至少是我的情况。）

1）根据此处的发行版确定证书文件应位于的位置：https://serverfault.com/a/722646/535872

2）抓取证书并将其复制到您的证书文件中：

echo | openssl s_client -connect server:port 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /path/to/certs

例如：

echo | openssl s_client -connect pigeon@github.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/ssl/certs/ca-certificates.crt

3）更新证书

update-ca-certificates

那之后应该工作。

Answer 9

该错误表示证书 - 通用名称与您尝试推送或拉取的 git URL 不同。

例如，假设您从以下 URL 中提取。

https://104.192.141.1

例如这是从浏览器查看的bitbucket证书。

对我来说，解决方案是确保 git URL 使用与证书通用名称相同的服务器名称，而不是 IP 地址。

git remote set-url origin https://bitbucket.org/scm/test/some-application.git