Advanced Recovery module cURL error 51

Hello

Have 2 FreePBXs on which I’m trying to setup the Advanced Recovery module.
During the Quick Configuration wizard on the primary server, at the final step, I’m receiving a black screen error message saying

GuzzleHttp \ Exception \ RequestException
cURL error 51: Unable to communicate securely with peer: requested domain name does not match the server’s certificate. (see libcurl - Error Codes)

On the primary server, in Linux CLI, If I’m trying the following:

[[email protected]]#curl -ILv https://RemoteServerIPaddress/admin/api/api/token
About to connect() to RemoteServerIPaddress port 443 (#0)
Trying RemoteServerIpAddress…
Connected to RemoteServerIPaddress (RemoteServerIPaddress) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
Server certificate:
subject: CN=*.domain.com
start date: Apr 06 00:00:00 2022 GMT
expire date: May 06 23:59:59 2023 GMT
common name: *.domain.com
issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
Closing connection 0
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server’s certificate.

If I try the same with the remote server FQDN instead

[[email protected]]#curl -ILv https://freeepbx2.domain.com/admin/api/api/token

it just works:

About to connect() to freepbx2.domain.com port 443 (#0)
Trying RemoteServerIpaddress…
Connected to freepbx2.domain.com (RemoteServerIPaddress) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Server certificate:
subject: CN=*.domain.com
start date: Apr 06 00:00:00 2022 GMT
expire date: May 06 23:59:59 2023 GMT
common name: *.domain.com
issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

HEAD /admin/api/api/token HTTP/1.1
User-Agent: curl/7.29.0
Host: freepbx2.domain.com
Accept: /

< HTTP/1.1 405 Method Not Allowed
HTTP/1.1 405 Method Not Allowed
< Date: Fri, 14 Oct 2022 13:13:00 GMT

Date: Fri, 14 Oct 2022 13:13:00 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
< X-Powered-By: PHP/5.6.40
X-Powered-By: PHP/5.6.40

< Set-Cookie: PHPSESSID=…; expires=Sun, 13-Nov-2022 13:13:00 GMT; Max-Age=2592000; path=/
Set-Cookie: PHPSESSID=…; expires=Sun, 13-Nov-2022 13:13:00 GMT; Max-Age=2592000; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
Pragma: no-cache
< Allow: POST
Allow: POST
< Content-Length: 556
Content-Length: 556
< Content-Type: text/html;charset=UTF-8
Content-Type: text/html;charset=UTF-8
<Connection #0 to host freepbx2.domain.com left intact

Both system are running OS 12.7.8-2203-2.sng7

Questions:
1)Should I change my wildcard SSL Cert for a more specific one ie: CN=freepbx2.domain.com
Would it fix my issue or it is useless ?
2) As per the Advance Recovery Module Wiki, we should specify the second server IP address and not the remote server FQDN…

Step-1 Server Configuration

Here, We have to specify the “Secondary” Server IP.
Click “Next” , after select “Secondary Server” instance,

Is there any issue by using the server FQDN host.domain.com instead of the ip address in the server configuration ?

Thanks

I wouldn’t expect a more specific domain name to work. The certificate would need to be issued for the IP address, or with the IP address as an alternative, if you want to use the IP address in the curl request, and actually defend against man in the middle attacks.

I can’t answer for the FreePBX module.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.