solucion net name invalid error err_cert_common_name_invalid enablecommonnamefallbackforlocalanchors common chrome google-chrome ssl openssl localhost ssl-certificate

google-chrome - error - net::err_cert_common_name_invalid ubuntu



Falta el nombre alternativo del sujeto y ERR_SSL_VERSION_OR_CIPHER_MISMATCH (2)

Seguí esta respuesta para hacer que https://localhost:3000/ funcione en Chrome y Mac. Hoy, de repente ya no funciona.

https://localhost:3000 da Not Secure :

Subject Alternative Name Missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Volví a confiar en este certificado siguiendo los pasos anteriores, no ayudó. Entonces, vi esta respuesta , necesito rehacer las claves SSL.

Hago v3.ext :

authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = localhost

Entonces,

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -sha256 -extfile v3.ext

Sin embargo, vuelve

unknown option -extfile req [options] <infile >outfile where options are -inform arg input format - DER or PEM -outform arg output format - DER or PEM ... ...

¿Alguien sabe qué está mal con mi comando de openssl ?

De lo contrario, ¿alguien sabe cómo solucionar el error del Subject Alternative Name Missing o el error NET::ERR_CERT_COMMON_NAME_INVALID ?

Edición 1: intenté seguir esta respuesta y aquí está mi example-com.conf :

[ req ] default_bits = 2048 default_keyfile = server-key.pem distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only # The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description). # Its sort of a mashup. For example, RFC 4514 does not provide emailAddress. [ subject ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = NY localityName = Locality Name (eg, city) localityName_default = New York organizationName = Organization Name (eg, company) organizationName_default = Example, LLC # Use a friendly name here because its presented to the user. The server''s DNS # names are placed in Subject Alternate Names. Plus, DNS names here is deprecated # by both IETF and CA/Browser Forums. If you place a DNS name here, then you # must include the DNS name in the SAN too (otherwise, Chrome and others that # strictly follow the CA/Browser Baseline Requirements will fail). commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = Example Company emailAddress = Email Address emailAddress_default = [email protected] # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ... [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer # You only need digitalSignature below. *If* you don''t allow # RSA Key transport (i.e., you use ephemeral cipher suites), then # omit keyEncipherment because that''s key transport. basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # In either case, you probably only need serverAuth. # extendedKeyUsage = serverAuth, clientAuth # Section req_ext is used when generating a certificate signing request. I.e., openssl req ... [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # In either case, you probably only need serverAuth. # extendedKeyUsage = serverAuth, clientAuth [ alternate_names ] DNS.1 = localhost # IPv4 localhost IP.1 = 127.0.0.1 # IPv6 localhost IP.2 = ::1

Entonces, hice

openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem

Volver a abrir https://localhost:3000 en Chrome me da

localhost uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH

¿Alguien podría ayudar?

Gracias Oleg por una buena solución. En mi caso, el URI se especifica como una dirección IP en lugar de un nombre de host, finalmente, obtengo la solución desde here .

Edito @CompanyLocalhost.ext de Oleg, de

subjectAltName = @alt_names extendedKeyUsage = serverAuth [alt_names] DNS.1 = localhost DNS.2 = mypc.mycompany.com

a

subjectAltName = @alt_names extendedKeyUsage = serverAuth [alt_names] DNS.1 = domain.com # IP address IP.1 = 192.168.2.221 IP.2 = 127.0.0.1

Sugiero la siguiente solución: cree un certificado de CA autofirmado y el certificado del servidor web firmado por esta CA. Cuando instale esta pequeña cadena en su servidor web, funcionará con Chrome.

Cree un archivo de configuración para su CA MyCompanyCA.cnf con contenido (puede cambiarlo según sus necesidades):

[ req ] distinguished_name = req_distinguished_name x509_extensions = root_ca [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, fully qualified host name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ root_ca ] basicConstraints = critical, CA:true

Cree el archivo de configuración de extensiones MyCompanyLocalhost.ext para su certificado de servidor web:

subjectAltName = @alt_names extendedKeyUsage = serverAuth [alt_names] DNS.1 = localhost DNS.2 = mypc.mycompany.com

Luego ejecuta los siguientes comandos:

openssl req -x509 -newkey rsa:2048 -out MyCompanyCA.cer -outform PEM -keyout MyCompanyCA.pvk -days 10000 -verbose -config MyCompanyCA.cnf -nodes -sha256 -subj "/CN=MyCompany CA" openssl req -newkey rsa:2048 -keyout MyCompanyLocalhost.pvk -out MyCompanyLocalhost.req -subj /CN=localhost -sha256 -nodes openssl x509 -req -CA MyCompanyCA.cer -CAkey MyCompanyCA.pvk -in MyCompanyLocalhost.req -out MyCompanyLocalhost.cer -days 10000 -extfile MyCompanyLocalhost.ext -sha256 -set_serial 0x1111

Como resultado, obtendrá los archivos MyCompanyCA.cer, MyCompanyLocalhost.cer y MyCompanyLocalhost.pvk que puede instalar en el servidor web.

Cómo verificar que funciona con Chrome antes de instalar certificados en el servidor web. Ejecute el siguiente comando en su PC local para ejecutar el simulador de servidor web:

openssl s_server -accept 15000 -cert MyCompanyLocalhost.cer -key MyCompanyLocalhost.pvk -CAfile MyCompanyCA.cer -WWW

Luego puede acceder a esta página en https://localhost:15000/ Verá un error que indica que MyCompanyLocalhost.cer no es confiable, si también desea eliminar este error, instale MyCompanyCA.cer en la lista de certificados de confianza de su SO .