I found only one S.O. Post on the error "NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)."
I am running a simple python app on localhost on a CentOS server. The Python app is just a little helper client that makes http requests to an external API when requested by ManageIQ, the main app running on this appliance.
Out of the blue the python app has stopped accepting requests. ManageIQ logs the following error:
Errno::ECONNREFUSED: Failed to open TCP connection to localhost:8080 (Connection refused - connect(2) for "localhost" port 8080)To debug it, I ran a curl command on the command line:curl --verbose http://localhost/flavors/Linux?name=Basic_A1
The output was:
* About to connect() to localhost port 80 (#0)* Trying ::1...* Connected to localhost (::1) port 80 (#0)> GET /flavors/Linux?name=Basic_A1 HTTP/1.1> User-Agent: curl/7.29.0> Host: localhost> Accept: */*>< HTTP/1.1 302 Found< Date: Wed, 11 Nov 2020 16:17:57 GMT< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 mod_auth_kerb/5.4< Location: https://localhost/flavors/Linux?name=Basic_A1< Content-Length: 229< Content-Type: text/html; charset=iso-8859-1<<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://localhost/flavors/Linux?name=Basic_A1">here</a>.</p></body></html>* Connection #0 to host localhost left intactThis suggested to me that I needed https, so I tried curl --verbose https://localhost/flavors/Linux?name=Basic_A1
* About to connect() to localhost port 443 (#0)* Trying ::1...* Connected to localhost (::1) port 443 (#0)* Initializing NSS with certpath: sql:/etc/pki/nssdb* CAfile: /etc/pki/tls/certs/ca-bundle.crtCApath: none* Server certificate:* subject: [email protected],CN=miq-dev.chq.ei,OU=IS-Systems Administration,O=Expeditors,C=US* start date: Aug 24 22:20:01 2020 GMT* expire date: May 11 22:20:01 2040 GMT* common name: miq-dev.chq.ei* issuer: CN=Expeditors Server CA,OU=IS Security,O=Expeditors,C=US* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)* Unable to communicate securely with peer: requested domain name does not match the server's certificate.* Closing connection 0curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.Been searching most of the day for a fix. This has happened to me in the past and was easily fixed by re-installing our corporate root certificate in the /etc/pki/ca-trust/source/anchors folder and then running update-ca-trust enable and update-ca-trust extract per this post on serverfault. But today for some reason it didn't work.
Any pointers? Thanks!
Best Answer
.... requested domain name does not match the server's certificate
This error means that you've requested localhost as domain name on the URL but the certificate was not issued for localhost. This has nothing to do with the root CA so it does not help to update these. Instead it is a mismatch between the name you use to access the site and the name which is in the certificate - so you need to adjust one of these.
Errno::ECONNREFUSED: Failed to open TCP connection to localhost:8080 (Connection refused - connect(2) for "localhost" port 8080)
This is a totally different error and completely unrelated to the error you got with curl. With curl you've tried to access localhost port 443 and got a name mismatch in the certificate. With Python you tried to access localhost port 8080 and got a connection error since there is no server on this port in the first place.