Strange CURL 60 SSL Error appeared just sudenly for a Worker Website

Hi All.

Out of sudden i am getting now the strange SSL ERROR when trying to do a curl get request
that involves only cloudflare workers response and has nothing to do with origin.

The Error that i just started getting is:

curl: (60) SSL: no alternative certificate subject name matches target host name ‘—.--------------.–’
More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I have searched the forum here for similar problems and found that other have the same problem but
they write that this is in combination with requests to origin server proxied trough cloudflare.

In my case i dont have any such requests.
It is simple worker only reuqests not involving any proxying to the origin.

It looks like Hundreds of Cloudflare Customers since Years have the Same Problem out of SUDDEN
as the forum search results show !

https://community.cloudflare.com/search?q=curl%2060%20SSL

Intersting is when i try the same request using a Webbrowser then everything works like it should.
I dont get any SSL error.
Only when using Curl now out of sudden the CURL 60 Error appeared.

Should i realy create new Edge SSL Ceritificates to try sort this out ?
Why did this out of sudden just happened ?

When i try the same curl command but use a different cloudflare worker domain site
It Works with no problem like it should.

When i repeat the same curl command that works for the dofferent domain in combination with my main worker website it fails suddenly with the above CURL 60 ERROR even it worked before all the time.

So something with SSL for the Specifc Workerwebsite is not right in combination with curl.

I could ouput some more debug information and isolate the problem more
when this curl 60 SSL Error happens while trying to do a get request to a simple worker only response website using curl.

It Turns out curl has this SSL 60 Error problem only in combination with a subdomain
like www
When i do the curl command without the subdomain as posted at the end of this reply
the Error disapears.

So something is not right with Cloudflare SSL Certificates when it comes to subdomains and curl
and this happened on my side now out of sudden !!!

Few Hours ago this SSL Cloudflare Problem did not exist !!!

curl -v https://www.--------------.–/

  • Trying xxx.xxx.xxx.xxx:443…
  • Connected to www.--------------.-- (xxx.xxx.xxx.xxx) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.0 (OUT), TLS header, Certificate Status (22):
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS header, Finished (20):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.2 (OUT), TLS header, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
  • start date: Apr 10 00:00:00 2023 GMT
  • expire date: Apr 9 23:59:59 2024 GMT
  • subjectAltName does not match www.--------------.–
  • SSL: no alternative certificate subject name matches target host name ‘www.--------------.–’
  • Closing connection 0
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.3 (OUT), TLS alert, close notify (256):
    curl: (60) SSL: no alternative certificate subject name matches target host name ‘www.--------------.–’
    More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

when i do the same curl test command but without www in front it works and the error does not happen.
Only when i try do the curl command with the www subdomain it fails.
Before it was not like this and i did not change anything since months.
So this Looks Clearly like a Problem on Cloudflare that happened out of sudden for the www subdomain !

curl -v https://--------------.–/

  • Trying xxx.xxx.xxx.xxx:443…
  • Connected to --------------.-- (xxx.xxx.xxx.xxx) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.0 (OUT), TLS header, Certificate Status (22):
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS header, Finished (20):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.2 (OUT), TLS header, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
  • start date: Apr 10 00:00:00 2023 GMT
  • expire date: Apr 9 23:59:59 2024 GMT
  • subjectAltName: host “--------------.–” matched cert’s “--------------.–”
  • issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multiplexing
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • Using Stream ID: 1 (easy handle 0x55c6ffb179f0)
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):

GET / HTTP/2
Host: --------------.–
user-agent: curl/7.81.0
accept: /

  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • old SSL session ID is stale, removing
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
    < HTTP/2 301
    < date: Thu, 20 Jul 2023 22:22:49 GMT
    < content-length: 0
    < location: https://www.--------------.–/
    < report-to: {“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v3?s=YXQykDQ2ai2fQIfI5b2TMX950xCAXL42LAal%2Bp15Zgth77gKweLfDu5DCWrihxD3dEGBiLqy%2B2B2APzNspQpo3xEMDkm7ow4JnPz5Jol3LeUCzj0Pgqy6v3jYH7P2kPAwRw5etHnMg%3D%3D”}],“group”:“cf-nel”,“max_age”:604800}
    < nel: {“success_fraction”:0,“report_to”:“cf-nel”,“max_age”:604800}
    < strict-transport-security: max-age=0; includeSubDomains; preload
    < x-content-type-options: nosniff
    < server: cloudflare
    < cf-ray: 7e9e9ae8c8f123c7-ZRH
    < alt-svc: h3=“:443”; ma=86400
    <
  • Connection #0 to host --------------.-- left intact

The Problem with curl 60 SSL ERROR when it comes to subdomains
got solved without that i changed or updated anything.

I dont get anymore this Error when doing the curl command in combination with a worker only subdomain.

For comparision i post now the working ouput for the www subdomain curl command.
See the Line now that show that the www subdomain is included and does exist in the cloudflare ssl certificate.

subjectAltName: host “www.--------------.–” matched cert’s “*.--------------.–”

compared to before where it say it is not included and does not match it.

subjectAltName does not match www.--------------.–
SSL: no alternative certificate subject name matches target host name ‘www.--------------.–’

Thanks a lot for the fast fix to all!

curl -v https://www.--------------.–/

  • Trying xxx.xxx.xxx.xxx:443…
  • Connected to www.--------------.– (xxx.xxx.xxx.xxx) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.0 (OUT), TLS header, Certificate Status (22):
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS header, Finished (20):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.2 (OUT), TLS header, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
  • start date: Apr 10 00:00:00 2023 GMT
  • expire date: Apr 9 23:59:59 2024 GMT
    > * subjectAltName: host “www.--------------.–” matched cert’s “*.--------------.–”
  • issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multiplexing
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • Using Stream ID: 1 (easy handle 0x55836c7149f0)
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):

GET / HTTP/2
Host: www.--------------.–
user-agent: curl/7.81.0
accept: /

  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • old SSL session ID is stale, removing
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
    < HTTP/2 103
    < link: </getdata.php?indexpage=2&v=1>; as=script; rel=preload
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
    < HTTP/2 200
    < date: Fri, 21 Jul 2023 20:14:44 GMT
    < content-type: text/html;charset=UTF-8
    < cache-control: public, max-age=604800
    < last-modified: Sat, 01 Jul 2023 17:00:00 GMT
    < link: </getdata.php?indexpage=2&v=1>; rel=“preload”; as=“script”
    < x-content-type-options: nosniff
    < x-frame-options: sameorigin
    < x-xss-protection: 1; mode=block