SSL Error Certificate subject name does not match target host for github.com

Question

I'm trying to access github's repositories using git fetch but I'm getting this error:

error: SSL: certificate subject name (*.opendns.com) does not match target host name 'github.com' while accessing https://github.com/<repo name>

This happened earlier this afternoon very suddenly, and it didn't go away. I thought it might be a problem with Github rejecting older versions of OpenSSL.

I am running Ubuntu 11.04 (Natty Narwhal), Git 1.7.4.1, and openssl version -a gives this:

OpenSSL 0.9.8o 01 Jun 2010
built on: Tue May 22 23:20:32 UTC 2012
platform: debian-i386
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -
DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall
OPENSSLDIR: "/usr/lib/ssl"

Any help would be greatly appreciated!

UPDATE 5/1/2014:

Ended up updating Ubuntu to solve this issue. Read somewhere that that is the most secure solution since both my local machine and Github's servers will be as up-to-date with each other as possible.

Answer 1

You need to modify your /etc/resolv.conf file and remove/replace any reference to OpenDNS servers. This is what I did to my /etc/resolv.conf

In /etc/resolv.conf, replace

#OpenDNS
nameserver 208.67.222.222
nameserver 208.67.220.220

to

#Google
nameserver 8.8.8.8
nameserver 8.8.4.4

Let me know if this resolve your SSL issue.

Answer 2

Just use:

(CURLOPT_SSL_VERIFYPEER => 0, CURLOPT_SSL_VERIFYHOST => 0,)

in your curl call

Answer 3

I had a similar issue and this answer came in handy. Simply type the following into your terminal.

git config --global http.sslverify "false"

Source :theserverside

Answer 4

This is probably more of a comment, but it won't fit in the comment block. To test your SSL/TLS connection:

First, go to DigiCert Trusted Root Authority Certificates and download "DigiCert SHA2 Extended Validation Server CA". The filename is DigiCertSHA2ExtendedValidationServerCA.crt.

Second, convert the DER to PEM:

$ openssl x509 -inform DER -in DigiCertSHA2ExtendedValidationServerCA.crt
          -outform PEM -out DigiCert-CA.pem

Third, use OpenSSL's s_client to verify the connection:

openssl s_client -connect github.com:443 -tls1 -servername github.com
        -CAfile DigiCert-CA.pem -ign_eof

The thing to notice is the verification result at the end:

Verify return code: 0 (ok)

I got a Bad Request. I suspect its because I asked for the root document. You should plug in your particular details.

Finally, verify the hostname. OpenSSL prior to 1.0.2 does not perform hostname verification, so you get to jump through the extra hoops:

$ openssl s_client -connect github.com:443 -tls1 -servername github.com
          -CAfile DigiCert-CA.pem | openssl x509 -noout -text | grep "DNS:"
...
    DNS:github.com, DNS:www.github.com

The best I can tell, there's no problem with the SSL/TLS portion of things from my view of the world. It looks like the problem lies with git.

You could check DNS with nslookup, but I'm not sure you would discover anything useful:

$ nslookup
> set q=a
> github.com
Server:     172.16.1.10
Address:    172.16.1.10#53

Non-authoritative answer:
Name:   github.com
Address: 192.30.252.129

---

$ echo "GET / HTTP/1.0\r\n" | openssl s_client -connect github.com:443 -tls1 -servername github.com -CAfile DigiCert-CA.pem -ign_eof
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 5157550, street = 548 4th Street, postalCode = 94107, C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com
verify return:1
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF4DCCBMigAwIBAgIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE0MDQwODAwMDAwMFoXDTE2MDQxMjEy
MDAwMFowgfAxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
Ewc1MTU3NTUwMRcwFQYDVQQJEw41NDggNHRoIFN0cmVldDEOMAwGA1UEERMFOTQx
MDcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdp
dGh1Yi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx1Nw8r/3z
Tu3BZ63myyLot+KrKPL33GJwCNEMr9YWaiGwNksXDTZjBK6/6iBRlWVm8r+5TaQM
Kev1FbHoNbNwEJTVG1m0Jg/Wg1dZneF8Cd3gE8pNb0Obzc+HOhWnhd1mg+2TDP4r
bTgceYiQz61YGC1R0cKj8keMbzgJubjvTJMLy4OUh+rgo7XZe5trD0P5yu6ADSin
dvEl9ME1PPZ0rd5qM4J73P1LdqfC7vJqv6kkpl/nLnwO28N0c/p+xtjPYOs2ViG2
wYq4JIJNeCS66R2hiqeHvmYlab++O3JuT+DkhSUIsZGJuNZ0ZXabLE9iH6H6Or6c
JL+fyrDFwGeNAgMBAAGjggHuMIIB6jAfBgNVHSMEGDAWgBQ901Cl1qCt7vNKYApl
0yHU+PjWDzAdBgNVHQ4EFgQUakOQfTuYFHJSlTqqKApD+FF+06YwJQYDVR0RBB4w
HIIKZ2l0aHViLmNvbYIOd3d3LmdpdGh1Yi5jb20wDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5o
dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1ldi1zZXJ2ZXItZzEuY3JsMDSg
MqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1ldi1zZXJ2ZXItZzEu
Y3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBz
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgYgGCCsGAQUFBwEBBHwwejAkBggrBgEF
BQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFIGCCsGAQUFBzAChkZodHRw
Oi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyRXh0ZW5kZWRWYWxp
ZGF0aW9uU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQAD
ggEBAG/nbcuC8++QhwnXDxUiLIz+06scipbbXRJd0XjAMbD/RciJ9wiYUhcfTEsg
ZGpt21DXEL5+q/4vgNipSlhBaYFyGQiDm5IQTmIte0ZwQ26jUxMf4pOmI1v3kj43
FHU7uUskQS6lPUgND5nqHkKXxv6V2qtHmssrA9YNQMEK93ga2rWDpK21mUkgLviT
PB5sPdE7IzprOCp+Ynpf3RcFddAkXb6NqJoQRPrStMrv19C1dqUmJRwIQdhkkqev
ff6IQDlhC8BIMKmCNK33cEYDfDWROtW7JNgBvBTwww8jO1gyug8SbGZ6bZ3k8OV8
XX4C2NesiZcLYbc2n7B9O+63M2k=
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3243 bytes and written 379 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: 9364E0346A77ABA5087FEEDA3C59443B1C672B6F553AB7183B9F48C2D3DE34CB
    Session-ID-ctx: 
    Master-Key: 8B055C9CED9F517F7F3B1B49A4B517D478532503B3BB254BE4F11A2BD6445BE14444115797450604C6D6F17D169AA030
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1398213115
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
HTTP/1.0 400 Bad request
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.
</body></html>
closed

Answer 5

I have used OpenDNS for ages and it was working fine until today. I observe the same problem with SSL & github as described in the first post.

I temporary replaced OpenDNS server with GoogleDNS and github works fine. This isolates SSL problem to OpenDNS...

BTW, I observe the same problem with Ubuntu 12.04 & Debian 7.4, so it is not related to 11.04. Ubuntu 14.04 works fine...

Ubuntu 12.04.4: openssl s_client -connect github.com:443 -tls1 -servername github.com reports: Verify return code: 20 (unable to get local issuer certificate)

Command host -t a github.com returns one from addresses 192.30.252.128, 192.30.252.129, 192.30.252.130 or 192.30.252.131. I don't see difference in github behaviour (OpenDNS resolver used).

wget at Ubuntu 12.04.4 cannot download certificate, it is strange:

$ wget -d https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
DEBUG output created by Wget 1.13.4 on linux-gnu.

URI encoding = `UTF-8'
--2014-04-24 10:57:05--  https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
Resolving www.digicert.com (www.digicert.com)... ::ffff:67.215.65.132, 64.78.193.234
Caching www.digicert.com => ::ffff:67.215.65.132 64.78.193.234
Connecting to www.digicert.com (www.digicert.com)|::ffff:67.215.65.132|:443... connected.
Created socket 3.
Releasing 0x099f77d8 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x099f7968
certificate:
  subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
  issuer:  /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
ERROR: no certificate subject alternative name matches
    requested host name `www.digicert.com'.
To connect to www.digicert.com insecurely, use `--no-check-certificate'.
Closed 3/SSL 0x099f7968

Answer 6

IMO, you are using some free wifi networks, requiring web login. The free wifi authentication may have expired.

The login site is using DDN redirecting your request to opendns.com.

What you need to do is just to open any website in the web browser and complete the authentication.

Answer 7

To answer your comment about /etc/resolv.conf being overwritten, you would need to use the resolveconf tool.

Delete the resolveconf information entered at setup

$ sudo resolvconf -d eth0.inet

Add localhost information

$ sudo vim /etc/resolvconf/resolv.conf.d/base

add:

nameserver 8.8.8.8

Update resolvconf

$ sudo resolvconf -u

Verify resolveconf

$ cat /etc/resolv.conf

Should look similar to:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8

Answer 8

what your passing may not have ssl certificate so just try http://yourdomain.com instead of https://yourdomain.com

it worked for me

Answer 9

I believe this error is due to an expired certificate. (Or, at least it was in my case.)

1) Determine location of where your certs file should be based on your distro here: https://serverfault.com/a/722646/535872

2) Grab and copy the certificate to your cert file:

echo | openssl s_client -connect server:port 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /path/to/certs

For example:

echo | openssl s_client -connect [email protected]:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/ssl/certs/ca-certificates.crt

3) Update certificates

update-ca-certificates

Should work after that.

Answer 10

The error means the certificate - common name is different with the git URL you trying to push or pull from.

E.g Say you doing pull from the below URL.

https://104.192.141.1

For example this is the bitbucket certificate viewed from the browser.

For me the solution was to make sure git URL uses the server name which is the same as the certificate common name, instead of the IP address.

git remote set-url origin https://bitbucket.org/scm/test/some-application.git

Answer 11

In my case upgrade the ubuntu fix the problem:

sudo apt-get update
sudo apt-get upgrade