I see your point. However, the problem I’m reporting here is irrelevant to the certificate validity. The problem is I’m actually seeing a different certificate when doing the same curl command as you did:
$ curl -v https://likr.xyz --resolve likr.xyz:443:178.128.17.49
* Added likr.xyz:443:178.128.17.49 to DNS cache
* Hostname likr.xyz was found in DNS cache
* Trying 178.128.17.49...
* TCP_NODELAY set
* Connected to likr.xyz (178.128.17.49) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=ca; L=San Francisco; O=Netlify, Inc; CN=*.netlify.com
* start date: Jun 15 00:00:00 2020 GMT
* expire date: Aug 3 12:00:00 2021 GMT
* subjectAltName does not match likr.xyz
* SSL: no alternative certificate subject name matches target host name 'likr.xyz'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'likr.xyz'
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
As you can see my request was served with *.netlify.com
cert, not my custom one.
And if I try to use another Netlify’s server IP address I can see my custom certificate (which is what I want):
$ curl -v https://likr.xyz --resolve likr.xyz:443:104.198.14.52
* Added likr.xyz:443:104.198.14.52 to DNS cache
* Hostname likr.xyz was found in DNS cache
* Trying 104.198.14.52...
* TCP_NODELAY set
* Connected to likr.xyz (104.198.14.52) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
What I want is to make sure that all clients that hit Netlify’s servers requesting my website should get responses signed by my custom certificate since that is what I configured in the admin panel. It’s then the responsibility of my client apps and web browser to verify the certificate, not Netlify’s