Getting error 60 of curl to cygwin setup

Brian Inglis Brian.Inglis@systematicsw.ab.ca
Tue Mar 19 17:39:10 GMT 2024


On 2024-03-19 11:00, J M wrote:
> $ file /etc/pki/tls/certs/*
> /etc/pki/tls/certs/ca-bundle.crt:       symbolic link to 
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> /etc/pki/tls/certs/ca-bundle.trust.crt: symbolic link to 
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> 
> $ grep -c '^-----BEGIN.*CERTIFICATE-----$' 
> /etc/pki/ca-trust/extracted/{openssl/*.crt,pem/*.pem}
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:369
> /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem:116
> /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem:295
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:145
> 
> $ grep '^#\s\(ISRG\|R3\)' /etc/pki/ca-trust/extracted/{openssl/*.crt,pem/*.pem}
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:# ISRG Root X1
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:# ISRG Root X2
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:# R3
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:# ISRG Root X1
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:# ISRG Root X2
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:# R3
> 
> Looks the same except the matched number lines of the grep -c.
> 
> $ sum /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt 
> /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem 
> /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem 
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> 22972   630 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> 34027   176 /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
> 36930   491 /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
> 05844   220 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

The following are a bit more useful:

$ wc -lwmcL /etc/pki/ca-trust/extracted/{openssl/*.crt,pem/*.pem}
   11307   14152  664107  664142      65 
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    3368    4080  193879  193883      64 
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
    8816   10434  512531  512566      65 
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
    4236    5094  243623  243627      64 
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
   27727   33760 1614140 1614218      65 total
$ cksum /etc/pki/ca-trust/extracted/{openssl/*.crt,pem/*.pem}
317625824 664142 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
382586407 193883 /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
1244815702 512566 /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
1065593997 243627 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

I would also like to see what you get running:

$ curl -Iv https://8.43.85.97/
*   Trying 8.43.85.97:443...
* Connected to 8.43.85.97 (8.43.85.97) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=cygwin.com
*  start date: Jan 21 03:06:49 2024 GMT
*  expire date: Apr 20 03:06:48 2024 GMT
*  subjectAltName does not match 8.43.85.97
* SSL: no alternative certificate subject name matches target host name '8.43.85.97'
* Closing connection
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 
'8.43.85.97'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

and:

$ curl -Iv https://cygwin.com/
* Host cygwin.com:443 was resolved.
* IPv6: 2620:52:3:1:0:246e:9693:128c
* IPv4: 8.43.85.97
*   Trying [2620:52:3:1:0:246e:9693:128c]:443...
* Connected to cygwin.com (2620:52:3:1:0:246e:9693:128c) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=cygwin.com
*  start date: Jan 21 03:06:49 2024 GMT
*  expire date: Apr 20 03:06:48 2024 GMT
*  subjectAltName: host "cygwin.com" matched cert's "cygwin.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed 
using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed 
using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://cygwin.com/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: cygwin.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
 > HEAD / HTTP/2
 > Host: cygwin.com
 > User-Agent: curl/8.6.0
 > Accept: */*
 >
< HTTP/2 200
HTTP/2 200
< date: Tue, 19 Mar 2024 17:32:27 GMT
date: Tue, 19 Mar 2024 17:32:27 GMT
< server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_qos/11.74 
mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_qos/11.74 
mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
< vary: User-Agent,Accept-Encoding
vary: User-Agent,Accept-Encoding
< accept-ranges: bytes
accept-ranges: bytes
< content-security-policy: default-src 'self' http: https:
content-security-policy: default-src 'self' http: https:
< strict-transport-security: max-age=16070400
strict-transport-security: max-age=16070400
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8

<
* Connection #0 to host cygwin.com left intact


Suggest you try to redownload and rerun setup-x86_64,
reinstall the latest ca-certificates-letsencrypt and ca-certificates packages, 
check /var/log/setup.log.full, and rerun wc and cksum.

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry


More information about the Cygwin mailing list