Get certificate fingerprint of HTTPS server from command line?

command-line mercurial https certificate google-code

51,049

Solution 1

The page at http://wiki.debuntu.org/wiki/OpenSSL#Retrieving_certificate_informations lists the command lines for that (and printing out the relevant information). From that page and some of the man pages, it seems like what you want is (for bash):

openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

If you want the whole certificate, leave off the | symbol and everything after it.

Solution 2

this is also enough:

openssl x509 -fingerprint -in server.crt

Solution 3

This is an old thread but there is an easier way I found. Assuming you have the crt file:

$ cat server.crt|openssl x509 -fingerprint 
MD5 Fingerprint=D1:BA:B0:17:66:6D:7F:42:7B:91:1E:22:7E:3A:27:D2

Solution 4

Background

Since Mercurial 3.9, Mercurial requires the more secure SHA-256 fingerprint, as opposed to SHA-1 from prior versions. Jeremiah's answer explains how to compute the SHA-1 fingerprint. As pointed out in J.Money's comment, one must now add the -sha256 flag to get the correct fingerprint.

The new command:

openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin

where <host>:<port> should be substituted as appropriate. (To answer the original question, one would use wiki.pydlnadms.googlecode.com:443, as noted by yanokwa.) You must omit https:// from the URL, otherwise you will get the error Expecting: TRUSTED CERTIFICATE.

One can then add the resulting SHA-256 fingerprint to Mercurial's global settings file (~/.hgrc).

Solution 5

Since nobody commented on this I wanted to try and clear up some of the confusion regarding subdomains:

the certificate is for *.googlecode.com. I was under the impression that this is called a wildcard domain and valid for all subdomains

You are partially correct. A wildcard certificate is valid for all direct subdomains but not for subdomains of subdomains.

So *.googlecode.com is valid for pydlnadms.googlecode.com but not for wiki.pydlnadms.googlecode.com.

For that you'd need a certificate for *.pydlnadms.googlecode.com or a non-wildcard certificate for wiki.pydlnadms.googlecode.com

View more solutions

51,049

Author by

Matt Joiner

About Me I like parsimonious code, with simple interfaces and excellent documentation. I'm not interested in enterprise, boiler-plate, or cookie-cutter nonsense. I oppose cruft and obfuscation. My favourite languages are Go, Python and C. I wish I was better at Haskell. Google+ GitHub Bitbucket Google code My favourite posts http://stackoverflow.com/questions/3609469/what-are-the-thread-limitations-when-working-on-linux-compared-to-processes-for/3705919#3705919 http://stackoverflow.com/questions/4352425/what-should-i-learn-first-before-heading-to-c/4352469#4352469 http://stackoverflow.com/questions/6167809/how-much-bad-can-be-done-using-register-variables-in-c/6168852#6168852 http://stackoverflow.com/questions/4141307/c-and-c-source-code-profiling-tools/4141345#4141345 http://stackoverflow.com/questions/3463207/how-big-can-a-malloc-be-in-c/3486163#3486163 http://stackoverflow.com/questions/4095637/memory-use-of-stl-data-structures-windows-vs-linux/4183178#4183178

Updated on July 09, 2022

Comments

Matt Joiner almost 2 years
Recently Mercurial has added certificate validation when connecting to HTTPS servers. I'm trying to clone the wiki repository for a googlecode project at https://wiki.pydlnadms.googlecode.com/hg/, but the certificate is for *.googlecode.com. I was under the impression that this is called a wildcard domain and valid for all subdomains, but I'm receiving the error:
```
matt@stanley:~/src$ hg clone https://wiki.pydlnadms.googlecode.com/hg/ pydlnadms-wiki
abort: wiki.pydlnadms.googlecode.com certificate error: certificate is for *.googlecode.com
```
Allegedly I need to add the certificate fingerprint to my hgrc. How do I retrieve this fingerprint from the command line?

Parent Question: Hosting images on Google Code
yanokwa over 13 years

to add a bit more detail. <host>:<port> in this example will be "wiki.pydlnadms.googlecode.com:443". mercurial.selenic.com/wiki/… has instructions on how to get this into your .hgrc file.
razor7 almost 12 years

Hi, got the fingerprint of my server, and added [hostfingerprints] mydomain.com = 09:EA:A1:28:49:24:21... to /etc/mercurial/hgrc, but trying to clone a newely created repo gives me SSL: Server certificate verify failed [command returned code 255 Fri Sep 14 22:31:09 2012] Any clue why? Thanks a lot!
None over 5 years

The hash method can be specified as a flag (sha1, sha256, md5): ` | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin`
ADJenks over 5 years

This takes a fingerprint of all the extra garbage, like CONNECTED(00000003), this doesn't make sense to me.