Why does firefox give an ssl error indicating that the cert isn't valid for my site, when my site is listed in subjectAltName?
I have a CA which signed a cert for my (internal) web server. The CA is loaded into firefox and the web server's cert is validated by firefox when I browse to it using the CommonName in the cert.
However, if I use one of the subjectAltName names for the server, Firefox tells me that the certificate isn't valid for the site I'm browsing, then gives a list of valid sites, which includes the site I entered.
Firefox Version: 45.0 OS: Ubuntu 14.04 Error Message: Your connection is not secure [advanced] intranet.wmi.com uses an invalid security certificate. The certificate is only valid for the following names: cac2.wmi.com, cac2.wmi.com., cac2, intranet.wmi.com, intranet.wmi.com., intranet Error code: SSL_ERROR_BAD_CERT_DOMAIN
When I click on "SSL_ERROR_BAD_CERT_DOMAIN", the following text appears:
Unable to communicate securely with peer: requested domain name does not match the server's certificate.
HTTP Strict Transport Security: false HTTP Public Key Pinning: false
Certificate chain:
BEGIN CERTIFICATE-----
MIIDnTCCAwagAwIBAgIBETANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCVVMx FTATBgNVBAgTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxMMV2VzdCBDaGVzdGVyMQ8w DQYDVQQKEwZDQUNXTUkxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEZ MBcGA1UEAxMQY2VydHMuY2Fjd21pLmNvbTEfMB0GCSqGSIb3DQEJARYQam9obm1A Y2FjZHNwLmNvbTAeFw0xNjA0MDQwNDU5NDlaFw0xNzA0MDkwNDU5NDlaMIGTMQsw CQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRUwEwYDVQQHEwxXZXN0 IENoZXN0ZXIxDDAKBgNVBAoTA1dNSTEQMA4GA1UECxMHV2Vic2l0ZTEVMBMGA1UE AxMMY2FjMi53bWkuY29tMR8wHQYJKoZIhvcNAQkBFhBqb2hubUBjYWNkc3AuY29t MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqbSJMCK4ALH1yio+0f1xJlaZn cgXz4TW4Lc29PbgP75BbCjo/UkyAHZk1UxuEfMvYXludKjXZy4HzIoxfjBo1twDm yecb8X3hi8pkPDenkntFx0GIw5G9028kRh6TmjTnytI68VMVbh53G0dcIa0rAveg UrK9i1YJ8oQtgOyEFwIDAQABo4HpMIHmMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSV9V2U TEAzCXmFfK43e0JQUXlqsTAfBgNVHSMEGDAWgBTXoC/0M5EPE2ovgLNGm8LpgOxJ jjALBgNVHQ8EBAMCBeAwXgYDVR0RAQH/BFQwUoIMY2FjMi53bWkuY29tgg1jYWMy LndtaS5jb20uggRjYWMyghBpbnRyYW5ldC53bWkuY29tghFpbnRyYW5ldC53bWku Y29tLoIIaW50cmFuZXQwDQYJKoZIhvcNAQELBQADgYEAXDRhnQaxnP1/dwSObt/K w9fUQv9BUsCFABYP+cePfqXikEHtzIB87/VFddz9ZKRQsfY3enpFTQrapq3NH3yj ZOtA6lGmY8kt5lEfuAO7LzUWbRNyS8T6VKpQuAs51BQvZQEgRGavxxzFsY7Y1Gnu qjFpcfvji63SdIKb7mlDzik=
END CERTIFICATE-----
Other info: I have tried marking subjectAltName critical and non-critical. The certificate above is the critical version. I have also tried all 6 alt names; only the one matching the CN works, the others fail with this error.
All Replies (2)
See this web page for contact information about Security (NSS) and Certificates.
Hi cor-el, thank you for your reply. I didn't see contact info there, but your pointer led me to the NSS tools.
Using certutil, I verified that my CA is listed in my firefox profile's database. Then used tstclnt to try the 6 names in subjectAltName and one I created for testing that isn't. With tstclnt, all 6 work fine, I only receive a SSL_ERROR_BAD_CERT_DOMAIN for the unlisted name, which is expected.
To me this seems like the NSS libraries are working correctly, so somehow I must have hit a bad interaction between Firefox and libnss3.
I'm not sure what I can try next to debug this issue.