Netgate SG-1000 microFirewall

Author Topic: Certificate problem (ERR_CERT_COMMON_NAME_INVALID) in Chrome  (Read 269 times)

0 Members and 1 Guest are viewing this topic.

Offline e4ch

  • Newbie
  • *
  • Posts: 9
  • Karma: +1/-2
    • View Profile
Certificate problem (ERR_CERT_COMMON_NAME_INVALID) in Chrome
« on: December 17, 2017, 06:28:49 am »
I have created a new internal CA (in System / Certificate Manager / CAs), imported the certificate into Windows in (local machine) Trusted Root / Registry, created a certificate (in System / Certificate Manager / Certificates) as Server Certificate, used it for the web UI (in System / Advanced / SSL Certificate). Name was a random name (something like pfSense) and I added 3 Subject Alternate Names:
- something like myfirewall
- something like myfirewall.mydomain.com
- IP address of the firewall (the one where it's reachable from LAN)
When accessing the web UI from IE it works fine, but Chrome complains with the error NET::ERR_CERT_COMMON_NAME_INVALID. I'm accessing the site by IP; no DNS name is used yet. Chrome Help says that the SAN must be wrong, but I cannot see such a problem.
How can I fix this?

Offline Blade Runner

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +3/-4
    • View Profile
Re: Certificate problem (ERR_CERT_COMMON_NAME_INVALID) in Chrome
« Reply #1 on: December 17, 2017, 07:09:01 am »
Create new server certificate.

Do not use "something like myfirewall" because it is not FQDN.

Use either FQDN or IP address.

https://forum.pfsense.org/index.php?topic=137307.msg751142#msg751142
Do not be afraid to fail.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15744
  • Karma: +1470/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Certificate problem (ERR_CERT_COMMON_NAME_INVALID) in Chrome
« Reply #2 on: December 17, 2017, 08:20:20 am »
what fqdn and IP do you use to access pfsense?

your fqdn should be set as the CN (command name) AND.. you would set SAN for fqdn to the same and SAN for IP with the IP you access..  If you use multiple fqdn to access it then sure you can add those as SAN..  But as stated by blade runner  they need to be FQDN (fully qualified domain name)  This would normally be the system hostname and domain you set in general setup.

I use for example sg4860.local.lan, with lan IP of 192.168.9.253.. So sg4860.local.lan is the CN on the cert and fqdn SAN is sg4860.local.lan and SAN IP is 192.168.9.253 and I can access via chrome with out any problems and get the shiny little green lock icon.

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline e4ch

  • Newbie
  • *
  • Posts: 9
  • Karma: +1/-2
    • View Profile
Re: Certificate problem (ERR_CERT_COMMON_NAME_INVALID) in Chrome
« Reply #3 on: December 17, 2017, 12:07:33 pm »
Hi I don't want to publish the exact names, but I have something like the following:
Hostname: abc
Domain: def.com
Certificate name: abc
Subject Alternative Name in certificate:
 - DNS Name=abc
 - DNS Name=abc.def.com
 - DNS Name=192.168.1.1
When I use Chrome 63 (64-bit) with URL https://192.168.1.1, then I get the error.
I don't think the  names are relevant, because I'm using an IP. The domain name "def.com" exists, but "abc" is arbitrary and not in the DNS.
For this error to appear, the domain name of the URL must not match one of the S.A.N. of the certificate, but it is matching as you can see.
Did you use a CA as well? Maybe something with the CA is wrong. I used key length 4096, digest sha512, country code CH, dummy entries for the rest and Common Name "internal-ca".
« Last Edit: December 17, 2017, 01:30:58 pm by e4ch »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15744
  • Karma: +1470/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Certificate problem (ERR_CERT_COMMON_NAME_INVALID) in Chrome
« Reply #4 on: December 17, 2017, 12:22:24 pm »
DNS Name=abc

that is not a fqdn.. do not make certs with just a host name... you should ALWAYS no matter what use fqdn..  This is not 1989 and we are not using netbeui..

DNS Name=192.168.1.1

This is not a DNS name -- that would be a IP SAN...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline e4ch

  • Newbie
  • *
  • Posts: 9
  • Karma: +1/-2
    • View Profile
Re: Certificate problem (ERR_CERT_COMMON_NAME_INVALID) in Chrome
« Reply #5 on: December 17, 2017, 01:49:46 pm »
Regarding the host name without FQDN, that was from another post I found here. Initially I only had the IP there and it didn't work, hence I tried more options. But it actually makes sense to have only the name (like "pfsense" or something) there as well, because if you are in a Windows domain, then the domain is added automatically and if DNS is configured like that, then only the "abc" should work too - but only if the name in the certificate matches of course. But I agree that this is not a good idea.

But yes, you found the problem. Somehow I missed the dropdown with the Alternative Names Type, not sure why. Thanks for the screenshot (only visible to logged-in users), which made it clear. After creating a new certificate with the correct type ("IP address"), it now works. I wonder why IE didn't complain about this mismatch. It seems that Chrome is more strict there and that is good.

Thanks for your help!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15744
  • Karma: +1470/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Certificate problem (ERR_CERT_COMMON_NAME_INVALID) in Chrome
« Reply #6 on: December 17, 2017, 02:24:09 pm »
"Windows domain, then the domain is added automatically"

that is a simple search suffix, and all OSes can be setup to do that.. But its not going to do it in your browser.. It would be done on the dns query..

There is zero reason to put in just a hostname for a cert.. .Try an get a CA to sign off on that ;)
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)