google-chrome - error - net::err_cert_common_name_invalid ubuntu
Falta el nombre alternativo del sujeto y ERR_SSL_VERSION_OR_CIPHER_MISMATCH (2)
Seguí esta respuesta para hacer que https://localhost:3000/ funcione en Chrome y Mac. Hoy, de repente ya no funciona.
https://localhost:3000 da Not Secure :
Subject Alternative Name Missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.
Volví a confiar en este certificado siguiendo los pasos anteriores, no ayudó. Entonces, vi esta respuesta , necesito rehacer las claves SSL.
Hago v3.ext :
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
Entonces,
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -sha256 -extfile v3.ext
Sin embargo, vuelve
unknown option -extfile
req [options] <infile >outfile
where options are
-inform arg input format - DER or PEM
-outform arg output format - DER or PEM
... ...
¿Alguien sabe qué está mal con mi comando de openssl ?
De lo contrario, ¿alguien sabe cómo solucionar el error del Subject Alternative Name Missing o el error NET::ERR_CERT_COMMON_NAME_INVALID ?
Edición 1: intenté seguir esta respuesta y aquí está mi example-com.conf :
[ req ]
default_bits = 2048
default_keyfile = server-key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
# Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = NY
localityName = Locality Name (eg, city)
localityName_default = New York
organizationName = Organization Name (eg, company)
organizationName_default = Example, LLC
# Use a friendly name here because its presented to the user. The server''s DNS
# names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
# by both IETF and CA/Browser Forums. If you place a DNS name here, then you
# must include the DNS name in the SAN too (otherwise, Chrome and others that
# strictly follow the CA/Browser Baseline Requirements will fail).
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Example Company
emailAddress = Email Address
emailAddress_default = [email protected]
# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
# You only need digitalSignature below. *If* you don''t allow
# RSA Key transport (i.e., you use ephemeral cipher suites), then
# omit keyEncipherment because that''s key transport.
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
# extendedKeyUsage = serverAuth, clientAuth
# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
# extendedKeyUsage = serverAuth, clientAuth
[ alternate_names ]
DNS.1 = localhost
# IPv4 localhost
IP.1 = 127.0.0.1
# IPv6 localhost
IP.2 = ::1
Entonces, hice
openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem
Volver a abrir https://localhost:3000 en Chrome me da
localhost uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
¿Alguien podría ayudar?
Gracias Oleg por una buena solución. En mi caso, el URI se especifica como una dirección IP en lugar de un nombre de host, finalmente, obtengo la solución desde here .
Edito @CompanyLocalhost.ext de Oleg, de
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = localhost
DNS.2 = mypc.mycompany.com
a
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = domain.com
# IP address
IP.1 = 192.168.2.221
IP.2 = 127.0.0.1
Sugiero la siguiente solución: cree un certificado de CA autofirmado y el certificado del servidor web firmado por esta CA. Cuando instale esta pequeña cadena en su servidor web, funcionará con Chrome.
Cree un archivo de configuración para su CA MyCompanyCA.cnf con contenido (puede cambiarlo según sus necesidades):
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = root_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, fully qualified host name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ root_ca ]
basicConstraints = critical, CA:true
Cree el archivo de configuración de extensiones MyCompanyLocalhost.ext para su certificado de servidor web:
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = localhost
DNS.2 = mypc.mycompany.com
Luego ejecuta los siguientes comandos:
openssl req -x509 -newkey rsa:2048 -out MyCompanyCA.cer -outform PEM -keyout MyCompanyCA.pvk -days 10000 -verbose -config MyCompanyCA.cnf -nodes -sha256 -subj "/CN=MyCompany CA"
openssl req -newkey rsa:2048 -keyout MyCompanyLocalhost.pvk -out MyCompanyLocalhost.req -subj /CN=localhost -sha256 -nodes
openssl x509 -req -CA MyCompanyCA.cer -CAkey MyCompanyCA.pvk -in MyCompanyLocalhost.req -out MyCompanyLocalhost.cer -days 10000 -extfile MyCompanyLocalhost.ext -sha256 -set_serial 0x1111
Como resultado, obtendrá los archivos MyCompanyCA.cer, MyCompanyLocalhost.cer y MyCompanyLocalhost.pvk que puede instalar en el servidor web.
Cómo verificar que funciona con Chrome antes de instalar certificados en el servidor web. Ejecute el siguiente comando en su PC local para ejecutar el simulador de servidor web:
openssl s_server -accept 15000 -cert MyCompanyLocalhost.cer -key MyCompanyLocalhost.pvk -CAfile MyCompanyCA.cer -WWW
Luego puede acceder a esta página en https://localhost:15000/ Verá un error que indica que MyCompanyLocalhost.cer no es confiable, si también desea eliminar este error, instale MyCompanyCA.cer en la lista de certificados de confianza de su SO .