root/greenlock-express.js
2
1
Fork 0
mirror of https://github.com/therootcompany/greenlock-express.js.git synced 2025-04-12 18:40:38 +00:00
Code Issues43 Releases Wiki Activity

Getting Net::ERR_CERT_COMMON_NAME_INVALID on Chrome #3

New Issue
Closed
opened 2019-07-24 22:41:29 +00:00 by Ghost · 5 comments
Ghost commented 2019-07-24 22:41:29 +00:00

See attached image. Common name shows up as *.commerceowl.com.

To make matters worse, it's only happening for some people (looks like Windows 10 machines are prone to this).

See attached image. Common name shows up as `*.commerceowl.com`. To make matters worse, it's only happening for some people (looks like Windows 10 machines are prone to this).
Xnip2019-07-24_16-38-48.png
99 KiB
Xnip2019-07-24_16-38-48.png
coolaj86 commented 2019-07-25 00:11:00 +00:00
Owner

Click to see more info.

My guess is that the name on the certificate is something like foo.com and the domain being required is bar.com.

I believe that would be an error in the approveDomains logic.

The dns-01 plugins are pretty new, so it could be an issue in greenlock itself, but I think that's less likely.

Click to see more info. My guess is that the name on the certificate is something like `foo.com` and the domain being required is `bar.com`. I believe that would be an error in the `approveDomains` logic. The dns-01 plugins are pretty new, so it could be an issue in greenlock itself, but I think that's less likely.
coolaj86 commented 2019-07-25 00:11:54 +00:00
Owner

Is it all browsers on Windows 10? Or just a particular one?

Is it happening on other OSes at all?

Is it all browsers on Windows 10? Or just a particular one? Is it happening on other OSes at all?
Ghost commented 2019-07-25 03:11:23 +00:00
Author

I can't really get it reproduce at all. It's a weird firewall or some security software context where it happens.

So, for the domain (dns-01 authed using wildcard *.commerceowl.com) evoo2.commerceowl.com, Common Name in the cert ends up being coconut.sellwithrecipes.com (http-01 authed custom domain). See screenshot.

Thoughts on how approveDomains is causing this issue?

I can't really get it reproduce at all. It's a weird firewall or some security software context where it happens. So, for the domain (dns-01 authed using wildcard *.commerceowl.com) `evoo2.commerceowl.com`, Common Name in the cert ends up being `coconut.sellwithrecipes.com` (http-01 authed custom domain). See screenshot. Thoughts on how [approveDomains](https://git.rootprojects.org/root/greenlock-express.js/issues/2) is causing this issue?
Xnip2019-07-24_21-06-18.png
429 KiB
Xnip2019-07-24_21-06-18.png
coolaj86 commented 2019-07-25 04:54:10 +00:00
Owner

Whatever domain you list first becomes the subject of the certificate. All of the rest become altnames (SAN / SubjectAltName).

The list should be deterministic.

For any given domain you should always give back the same first domain name (the subject) and the same altnames.

If you're getting a request for one domain, but then you're giving it a more or less random domain as the certificate subject as the result of an unsorted database query I'm not sure what will happen.

What domains do you see in the SAN list on the cert?

Whatever domain you list first becomes the subject of the certificate. All of the rest become altnames (SAN / SubjectAltName). The list should be deterministic. For any given domain you should always give back the same first domain name (the subject) and the same altnames. If you're getting a request for one domain, but then you're giving it a more or less random domain as the certificate subject as the result of an unsorted database query I'm not sure what will happen. What domains do you see in the SAN list on the cert?
Ghost commented 2019-07-29 21:30:35 +00:00
Author

Looks like this was a weird IT environment where some "security" tool was doing a MITM and replacing the cert.

Looks like this was a weird IT environment where some "security" tool was doing a MITM and replacing the cert.
Ghost closed this issue 2019-07-29 21:30:35 +00:00
Sign in to join this conversation.
No Label
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: root/greenlock-express.js#3
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?