Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use certificate with proper subjectAltName (Chrome 58 compatibility) #137

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Use certificate with proper subjectAltName (Chrome 58 compatibility) #137

wants to merge 1 commit into from

Conversation

padde
Copy link

@padde padde commented May 16, 2017

Problem description

Dotjs stopped working with Chrome 58. Chrome will no longer accept a certificate without subjectAltName and will display this error instead:

Attackers might be trying to steal your information from localhost (for example, passwords, messages or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is localhost; its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection.

For the announcement, see https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/IGT2fLJrAeo/csf_1Rh1AwAJ

How the valid self-signed certificate was generated

For future reference, the openssl command used to generate the certificate was based on this StackOverflow post:

openssl req -config localhost.conf -new -x509 -sha256 -newkey rsa:2048 -nodes \
    -keyout localhost.key.pem -days 36500 -out localhost.cert.pem

# localhost.conf

[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

[ subject ]
countryName         = Country Name (2 letter code)
countryName_default     = US
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = NY
localityName            = Locality Name (eg, city)
localityName_default        = Localhost
organizationName         = Organization Name (eg, company)
organizationName_default    = Localhost
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = Localhost
emailAddress            = Email Address
emailAddress_default        = [email protected]

[ x509_ext ]

subjectKeyIdentifier        = hash
authorityKeyIdentifier  = keyid,issuer
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

[ req_ext ]
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

[ alternate_names ]
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = ::1

@keith
Copy link

keith commented Dec 31, 2018

This still works for me with chrome 71

@mathathlabcilabmat mathathlabcilabmat linked an issue Jun 30, 2023 that may be closed by this pull request
M'attendait///77880 #166
Open
@mathathlabcilabmat mathathlabcilabmat removed a link to an issue Jun 30, 2023
M'attendait///77880 #166
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@padde @keith