Getting Net::ERR_CERT_COMMON_NAME_INVALID on Chrome #3

Нова задача

Ghost · 2019-07-24T22:41:29Z

Ghost прокоментував(ла)

2019-07-24 22:41:29 +00:00

See attached image. Common name shows up as *.commerceowl.com.

To make matters worse, it's only happening for some people (looks like Windows 10 machines are prone to this).

See attached image. Common name shows up as `*.commerceowl.com`. To make matters worse, it's only happening for some people (looks like Windows 10 machines are prone to this).

Xnip2019-07-24_16-38-48.png

99 KiB

coolaj86 прокоментував(ла)

2019-07-25 00:11:00 +00:00

Власник

Click to see more info.

My guess is that the name on the certificate is something like foo.com and the domain being required is bar.com.

I believe that would be an error in the approveDomains logic.

The dns-01 plugins are pretty new, so it could be an issue in greenlock itself, but I think that's less likely.

Click to see more info. My guess is that the name on the certificate is something like `foo.com` and the domain being required is `bar.com`. I believe that would be an error in the `approveDomains` logic. The dns-01 plugins are pretty new, so it could be an issue in greenlock itself, but I think that's less likely.

coolaj86 прокоментував(ла)

2019-07-25 00:11:54 +00:00

Власник

Is it all browsers on Windows 10? Or just a particular one?

Is it happening on other OSes at all?

Is it all browsers on Windows 10? Or just a particular one? Is it happening on other OSes at all?

Ghost прокоментував(ла)

2019-07-25 03:11:23 +00:00

I can't really get it reproduce at all. It's a weird firewall or some security software context where it happens.

So, for the domain (dns-01 authed using wildcard *.commerceowl.com) evoo2.commerceowl.com, Common Name in the cert ends up being coconut.sellwithrecipes.com (http-01 authed custom domain). See screenshot.

Thoughts on how approveDomains is causing this issue?

I can't really get it reproduce at all. It's a weird firewall or some security software context where it happens. So, for the domain (dns-01 authed using wildcard *.commerceowl.com) `evoo2.commerceowl.com`, Common Name in the cert ends up being `coconut.sellwithrecipes.com` (http-01 authed custom domain). See screenshot. Thoughts on how [approveDomains](https://git.rootprojects.org/root/greenlock-express.js/issues/2) is causing this issue?

Xnip2019-07-24_21-06-18.png

429 KiB

coolaj86 прокоментував(ла)

2019-07-25 04:54:10 +00:00

Власник

Whatever domain you list first becomes the subject of the certificate. All of the rest become altnames (SAN / SubjectAltName).

The list should be deterministic.

For any given domain you should always give back the same first domain name (the subject) and the same altnames.

If you're getting a request for one domain, but then you're giving it a more or less random domain as the certificate subject as the result of an unsorted database query I'm not sure what will happen.

What domains do you see in the SAN list on the cert?

Whatever domain you list first becomes the subject of the certificate. All of the rest become altnames (SAN / SubjectAltName). The list should be deterministic. For any given domain you should always give back the same first domain name (the subject) and the same altnames. If you're getting a request for one domain, but then you're giving it a more or less random domain as the certificate subject as the result of an unsorted database query I'm not sure what will happen. What domains do you see in the SAN list on the cert?

Ghost прокоментував(ла)

2019-07-29 21:30:35 +00:00

Looks like this was a weird IT environment where some "security" tool was doing a MITM and replacing the cert.

Ghost закрив цю задачу

2019-07-29 21:30:35 +00:00

Підпишіться щоб приєднатися до обговорення.

2 учасників

Сповіщення

Дата завершення

Термін виконання не встановлений.

Залежності

No dependencies set.

Reference: root/greenlock-express.js#3