Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Certificate problem (ERR_CERT_COMMON_NAME_INVALID) in Chrome

    General pfSense Questions
    3
    7
    1931
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • e4ch
      e4ch last edited by

      I have created a new internal CA (in System / Certificate Manager / CAs), imported the certificate into Windows in (local machine) Trusted Root / Registry, created a certificate (in System / Certificate Manager / Certificates) as Server Certificate, used it for the web UI (in System / Advanced / SSL Certificate). Name was a random name (something like pfSense) and I added 3 Subject Alternate Names:

      • something like myfirewall
      • something like myfirewall.mydomain.com
      • IP address of the firewall (the one where it's reachable from LAN)
        When accessing the web UI from IE it works fine, but Chrome complains with the error NET::ERR_CERT_COMMON_NAME_INVALID. I'm accessing the site by IP; no DNS name is used yet. Chrome Help says that the SAN must be wrong, but I cannot see such a problem.
        How can I fix this?
      1 Reply Last reply Reply Quote 0
      • B
        Blade Runner last edited by

        Create new server certificate.

        Do not use "something like myfirewall" because it is not FQDN.

        Use either FQDN or IP address.

        https://forum.pfsense.org/index.php?topic=137307.msg751142#msg751142

        Do not be afraid to fail.

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          what fqdn and IP do you use to access pfsense?

          your fqdn should be set as the CN (command name) AND.. you would set SAN for fqdn to the same and SAN for IP with the IP you access..  If you use multiple fqdn to access it then sure you can add those as SAN..  But as stated by blade runner  they need to be FQDN (fully qualified domain name)  This would normally be the system hostname and domain you set in general setup.

          I use for example sg4860.local.lan, with lan IP of 192.168.9.253.. So sg4860.local.lan is the CN on the cert and fqdn SAN is sg4860.local.lan and SAN IP is 192.168.9.253 and I can access via chrome with out any problems and get the shiny little green lock icon.


          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 23.01 | Lab VMs CE 2.6, 2.7

          1 Reply Last reply Reply Quote 0
          • e4ch
            e4ch last edited by

            Hi I don't want to publish the exact names, but I have something like the following:
            Hostname: abc
            Domain: def.com
            Certificate name: abc
            Subject Alternative Name in certificate:

            • DNS Name=abc
            • DNS Name=abc.def.com
            • DNS Name=192.168.1.1
              When I use Chrome 63 (64-bit) with URL https://192.168.1.1, then I get the error.
              I don't think the  names are relevant, because I'm using an IP. The domain name "def.com" exists, but "abc" is arbitrary and not in the DNS.
              For this error to appear, the domain name of the URL must not match one of the S.A.N. of the certificate, but it is matching as you can see.
              Did you use a CA as well? Maybe something with the CA is wrong. I used key length 4096, digest sha512, country code CH, dummy entries for the rest and Common Name "internal-ca".
            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              DNS Name=abc

              that is not a fqdn.. do not make certs with just a host name… you should ALWAYS no matter what use fqdn..  This is not 1989 and we are not using netbeui..

              DNS Name=192.168.1.1

              This is not a DNS name -- that would be a IP SAN...


              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 23.01 | Lab VMs CE 2.6, 2.7

              1 Reply Last reply Reply Quote 0
              • e4ch
                e4ch last edited by

                Regarding the host name without FQDN, that was from another post I found here. Initially I only had the IP there and it didn't work, hence I tried more options. But it actually makes sense to have only the name (like "pfsense" or something) there as well, because if you are in a Windows domain, then the domain is added automatically and if DNS is configured like that, then only the "abc" should work too - but only if the name in the certificate matches of course. But I agree that this is not a good idea.

                But yes, you found the problem. Somehow I missed the dropdown with the Alternative Names Type, not sure why. Thanks for the screenshot (only visible to logged-in users), which made it clear. After creating a new certificate with the correct type ("IP address"), it now works. I wonder why IE didn't complain about this mismatch. It seems that Chrome is more strict there and that is good.

                Thanks for your help!

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  "Windows domain, then the domain is added automatically"

                  that is a simple search suffix, and all OSes can be setup to do that.. But its not going to do it in your browser.. It would be done on the dns query..

                  There is zero reason to put in just a hostname for a cert.. .Try an get a CA to sign off on that ;)

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post