VM or LXC using SDN Vnet cannot connect to any https server

ushiii111798

New Member
Jul 3, 2024
2
0
1
I have created simple SDN with Vnet.
created subnet with SNAT enabled.

Testing curl to any https hosted server, shows following error.
I guess internet connection is not the problem, since http hosted server shows no error.
Firewall is off from datacenter and node level. Even, network interface level firewall is off as well.

Is there any other setting that I could be missed???

root@ONY-Wireguard:~# curl -vvv https://google.com
* Trying 172.217.161.206:443...
* Connected to google.com (172.217.161.206) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=KR; ST=Seoul; O=ONYCOM, INC.; CN=*.imqa.io
* start date: Apr 30 00:00:00 2024 GMT
* expire date: May 6 23:59:59 2025 GMT
* subjectAltName does not match google.com
* SSL: no alternative certificate subject name matches target host name 'google.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'google.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@ONY-Wireguard:~#
 
do you have some kind of transparent proxy on your network ???

because you got a certificate from "subject: C=KR; ST=Seoul; O=ONYCOM, INC.; CN=*.imqa.io"
defiantly not. that is my custom server certificate issued for web dashboard for proxmox. will that be the problem??

only thing I configured on network side manually is
iptable -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8006

and interestingly when I make a request from the proxmox installed server directly to the same url (google.com), it works fine
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!