Login

Raúl Casado Piqueras · 2024-10-25, 09:38 PM

I doing some checks and neither understand with this change. Yes, I have Pihole, but i do curl over http service, there is no problem. It is happening when I do it with https inside docker, outside docker there is no issue.

Code:
$ curl -vvv https://image.tmdb.org/t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg -o /tmp/futurama.jpg

  % Total    % Received % Xferd  Average Speed  Time    Time    Time  Current

                                Dload  Upload  Total  Spent    Left  Speed

  0    0    0    0    0    0      0      0 --:--:--  0:00:02 --:--:--    0*  Trying 185.93.2.251:443...

* Connected to image.tmdb.org (185.93.2.251) port 443 (#0)

* ALPN: offers h2,http/1.1

} [5 bytes data]

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

} [512 bytes data]

*  CAfile: /etc/ssl/certs/ca-certificates.crt

*  CApath: /etc/ssl/certs

{ [5 bytes data]

* TLSv1.3 (IN), TLS handshake, Server hello (2):

{ [122 bytes data]

* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

{ [19 bytes data]

* TLSv1.3 (IN), TLS handshake, Certificate (11):

{ [3968 bytes data]

* TLSv1.3 (IN), TLS handshake, CERT verify (15):

{ [264 bytes data]

* TLSv1.3 (IN), TLS handshake, Finished (20):

{ [52 bytes data]

* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):

} [1 bytes data]

* TLSv1.3 (OUT), TLS handshake, Finished (20):

} [52 bytes data]

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384

* ALPN: server accepted h2

* Server certificate:

*  subject: CN=image.tmdb.org

*  start date: Oct  6 12:45:51 2024 GMT

*  expire date: Jan  4 12:45:50 2025 GMT

*  subjectAltName: host "image.tmdb.org" matched cert's "image.tmdb.org"

*  issuer: C=US; O=Let's Encrypt; CN=R10

*  SSL certificate verify ok.

} [5 bytes data]

* using HTTP/2

* h2h3 [:method: GET]

* h2h3 [:path: /t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg]

* h2h3 [:scheme: https]

* h2h3 [:authority: image.tmdb.org]

* h2h3 [user-agent: curl/7.88.1]

* h2h3 [accept: */*]

* Using Stream ID: 1 (easy handle 0x563b9a644ce0)

} [5 bytes data]

> GET /t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg HTTP/2

> Host: image.tmdb.org

> user-agent: curl/7.88.1

> accept: */*

> 

{ [5 bytes data]

* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

{ [265 bytes data]

* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

{ [265 bytes data]

* old SSL session ID is stale, removing

{ [5 bytes data]

< HTTP/2 200 

< date: Fri, 25 Oct 2024 21:27:11 GMT

< content-type: image/jpeg

< content-length: 50330

< server: BunnyCDN-FR1-1186

< cdn-pullzone: 775336

< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf

< cdn-requestcountrycode: ES

< cache-control: public, max-age=31919000

< etag: "6272f494-c49a"

< last-modified: Wed, 04 May 2022 21:48:04 GMT

< cdn-storageserver: NY-427

< cdn-requestpullsuccess: True

< cdn-fileserver: 266

< perma-cache: HIT

< cdn-proxyver: 1.04

< cdn-requestpullcode: 200

< cdn-cachedat: 10/09/2024 20:20:48

< cdn-edgestorageid: 1187

< cdn-status: 200

< cdn-requesttime: 0

< cdn-requestid: 91a0f5895fc08e6629232bcf7fd5e410

< cdn-cache: HIT

< accept-ranges: bytes

< 

{ [15736 bytes data]

100 50330  100 50330    0    0  18362      0  0:00:02  0:00:02 --:--:-- 18361

* Connection #0 to host image.tmdb.org left intact

Inside nginx server (jellyfin subnet in docker)for instance:

Code:
# curl -vvv https://image.tmdb.org/t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg -o /tmp/futurama.jpg

  % Total    % Received % Xferd  Average Speed  Time    Time    Time  Current

                                Dload  Upload  Total  Spent    Left  Speed

  0    0    0    0    0    0      0      0 --:--:--  0:00:03 --:--:--    0*  Trying 143.244.56.49:443...

* Connected to image.tmdb.org (143.244.56.49) port 443 (#0)

* ALPN: offers h2,http/1.1

} [5 bytes data]

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

} [512 bytes data]

*  CAfile: /etc/ssl/certs/ca-certificates.crt

*  CApath: /etc/ssl/certs

{ [5 bytes data]

* TLSv1.3 (IN), TLS handshake, Server hello (2):

{ [122 bytes data]

* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

{ [25 bytes data]

* TLSv1.3 (IN), TLS handshake, Certificate (11):

{ [2038 bytes data]

* TLSv1.3 (IN), TLS handshake, CERT verify (15):

{ [79 bytes data]

* TLSv1.3 (IN), TLS handshake, Finished (20):

{ [52 bytes data]

* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):

} [1 bytes data]

* TLSv1.3 (OUT), TLS handshake, Finished (20):

} [52 bytes data]

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384

* ALPN: server accepted http/1.1

* Server certificate:

*  subject: CN=valid.domain.com

*  start date: Sep 19 19:38:02 2024 GMT

*  expire date: Dec 18 19:38:01 2024 GMT

*  subjectAltName does not match image.tmdb.org

* SSL: no alternative certificate subject name matches target host name 'image.tmdb.org'

  0    0    0    0    0    0      0      0 --:--:--  0:00:04 --:--:--    0

* Closing connection 0

{ [5 bytes data]

* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

{ [281 bytes data]

* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

{ [281 bytes data]

* old SSL session ID is stale, removing

} [5 bytes data]

* TLSv1.3 (OUT), TLS alert, close notify (256):

} [2 bytes data]

curl: (60) SSL: no alternative certificate subject name matches target host name 'image.tmdb.org'

More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

In pihole or unifi docker service:

Code:
$ docker exec -it pihole sh

# curl -vvv https://image.tmdb.org/t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg -o /tmp/futurama.jpg

  % Total    % Received % Xferd  Average Speed  Time    Time    Time  Current

                                Dload  Upload  Total  Spent    Left  Speed

  0    0    0    0    0    0      0      0 --:--:--  0:00:02 --:--:--    0*  Trying 143.244.56.49:443...

* Connected to image.tmdb.org (143.244.56.49) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

*  CAfile: /etc/ssl/certs/ca-certificates.crt

*  CApath: /etc/ssl/certs

} [5 bytes data]

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

} [512 bytes data]

* TLSv1.3 (IN), TLS handshake, Server hello (2):

{ [122 bytes data]

* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

{ [19 bytes data]

* TLSv1.3 (IN), TLS handshake, Certificate (11):

{ [3968 bytes data]

* TLSv1.3 (IN), TLS handshake, CERT verify (15):

{ [264 bytes data]

* TLSv1.3 (IN), TLS handshake, Finished (20):

{ [52 bytes data]

* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):

} [1 bytes data]

* TLSv1.3 (OUT), TLS handshake, Finished (20):

} [52 bytes data]

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384

* ALPN, server accepted to use h2

* Server certificate:

*  subject: CN=image.tmdb.org

*  start date: Oct  6 12:45:51 2024 GMT

*  expire date: Jan  4 12:45:50 2025 GMT

*  subjectAltName: host "image.tmdb.org" matched cert's "image.tmdb.org"

*  issuer: C=US; O=Let's Encrypt; CN=R10

*  SSL certificate verify ok.

* Using HTTP2, server supports multi-use

* Connection state changed (HTTP/2 confirmed)

* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0

} [5 bytes data]

* Using Stream ID: 1 (easy handle 0x56440d1a6620)

} [5 bytes data]

> GET /t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg HTTP/2

> Host: image.tmdb.org

> user-agent: curl/7.74.0

> accept: */*

> 

{ [5 bytes data]

* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

{ [265 bytes data]

* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

{ [265 bytes data]

* old SSL session ID is stale, removing

{ [5 bytes data]

* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!

} [5 bytes data]

< HTTP/2 200 

< date: Fri, 25 Oct 2024 21:30:58 GMT

< content-type: image/jpeg

< content-length: 50330

< server: BunnyCDN-FR1-1072

< cdn-pullzone: 775336

< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf

< cdn-requestcountrycode: ES

< cache-control: public, max-age=31919000

< etag: "6272f494-c49a"

< last-modified: Wed, 04 May 2022 21:48:04 GMT

< cdn-storageserver: NY-427

< cdn-requestpullsuccess: True

< cdn-fileserver: 266

< perma-cache: HIT

< cdn-proxyver: 1.04

< cdn-requestpullcode: 200

< cdn-cachedat: 10/09/2024 20:20:48

< cdn-edgestorageid: 1187

< cdn-status: 200

< cdn-requesttime: 0

< cdn-requestid: 66a9348c1fcf42551aafee7263ce1c6b

< cdn-cache: HIT

< accept-ranges: bytes

< 

{ [15754 bytes data]

100 50330  100 50330    0    0  15703      0  0:00:03  0:00:03 --:--:-- 15703

* Connection #0 to host image.tmdb.org left intact

My nginx configuration is this:

Code:
$ cat nginx.conf

user  nginx;

worker_processes  1;

events {

    worker_connections  1024;

}

http {

    include      mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    tcp_nopush      on;

    tcp_nodelay    on;

    keepalive_timeout  65;

    types_hash_max_size 2048;

    # Configuración HTTP para renovar los certificados con Certbot

    server {

        listen      80;

        server_name  valid.domain.com www.valid.domain.com;

        access_log /var/log/nginx/access.log;

        error_log /var/log/nginx/error.log;

        # Excepción para Certbot (no redirigir)

        location /.well-known/acme-challenge/ {

            root /var/www/certbot;  # Ruta donde Certbot almacena los archivos de desafío

        }

        # Redirigir todas las demás peticiones al puerto 8444 (HTTPS)

        location / {

            return 301 https://$host:443$request_uri;

        }

#        location / {

#            root  /usr/share/nginx/html;

#            index  index.html index.htm;

#        }

    }

    # Configuración HTTPS

    server {

        listen 443 ssl; # Escucha en el puerto 443 con SSL habilitado

        server_name valid.domain.com;

        access_log /var/log/nginx/access.log;

        error_log /var/log/nginx/error.log;

        ssl_certificate /etc/letsencrypt/live/valid.domain.com/fullchain.pem;

        ssl_certificate_key /etc/letsencrypt/live/valid.domain.com/privkey.pem;

        ssl_protocols TLSv1.2 TLSv1.3;

        ssl_ciphers HIGH:!aNULL:!MD5;

        location / {

            if ($host != "valid.domain.com") {

                return 444;  # Cerrar conexión si el host no coincide

            }

            proxy_pass http://jellyfin:8096; # Redirigir las peticiones a Jellyfin

            proxy_set_header Host $host;

            proxy_set_header X-Real-IP $remote_addr;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_buffering off;

        }

        # Nueva configuración para Filebrowser

        location /filebrowser/ {

            if ($host != "valid.domain.com") {

                return 444;  # Cerrar conexión si el host no coincide

            }

            proxy_pass http://filebrowser:80/filebrowser;

            proxy_set_header Host $host;

            proxy_set_header X-Real-IP $remote_addr;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_set_header X-Forwarded-Proto $scheme;

            rewrite ^/filebrowser(/.*)$ $1 break;  # Reescribe la URL para eliminar "/filebrowser"

            client_max_body_size 10G;  # Aumenta el límite a 100 MB

        }

    }

}

Login

Username/Email:
Password:


Or login with a social network below

Login

Username/Email:
Password:


Or login with a social network below

SOLVED: RemoteCertificateNameMismatch