Hello!
I have some doubts on certificates.
I have just installed a fresh Yunohost on a fresh Debian.
So far I have only configured one domain and installed one app (nextcloud) in that domain.
I have not installed any let’s encrypt certificate.
I would like to manually verify I am not suffering a Person In The Middle attack. I would like to compare the certificate received in the client to the one stored in the server.
As I do not know where the certificate is located in the server, now I am just checking everything from a client.
If I visit mydomain.tld on the client’s browser, the browser lets me see the SHA1 fingerprint of the certificate.
From the client’s nextcloud desktop application I can also connect to mydomain.tld. I get a warning on the untrusted certificate and it shows me a different SHA1 fingerprint. Why?
Then someone told me I could get the whole certificate from the client with:
openssl s_client -connect mydomain.tlc:443
So I got some data and also:
-----BEGIN CERTIFICATE-----
Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-Azillionfunnycharactershere-==
-----END CERTIFICATE-----
If I do a sha1sum of those zillion funny characters, I get a third different SHA1 outcome! Why?
Anyone could please help me understand how certificates and fingerprints work? I do not understand why I get three different results.
And please let me know where the certificate is located in the server so that I can run a sha1sum there and compare it to the tree different results I get from a client.
Thank you!