Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Learn More

SSL_ERROR_BAD_CERT_DOMAIN with SAN certificate

  • 2 trả lời
  • 1 gặp vấn đề này
  • 12 lượt xem
  • Trả lời mới nhất được viết bởi lalirat

more options

I am testing with a SAN certificate shown at the bottom -- The CN is gvm and contains the SANs 172.28.242.30, 172.28.242.28, 172.28.242.25, 172.28.242.24, 172.28.242.29, 172.28.242.30, 172.28.242.28, 172.28.242.25, 172.28.242.24, 172.28.242.29, 172.28.242.30, cem, cmtg, gsec.ott7gvm1.genband.com, gvm, gvweb.ott7gvm1.genband.com.

When I access my website using Firefox 62.4 (on WIndows 8.1) and URL https://172.28.242.25:2443, I get the login page without any warnings. However, using https://gsec.ott7gvm1.genband.com:2443 results in the following warning -- Note that other browsers, IE and Chrome works without this warning.


gsec.ott7gvm1.genband.com:2443 uses an invalid security certificate.

The certificate is only valid for the following names: 172.28.242.30, 172.28.242.28, 172.28.242.25, 172.28.242.24, 172.28.242.29, 172.28.242.30, 172.28.242.28, 172.28.242.25, 172.28.242.24, 172.28.242.29, 172.28.242.30, cem, cmtg, gsec.ott7gvm1.genband.com, gvm, gvweb.ott7gvm1.genband.com Error code: SSL_ERROR_BAD_CERT_DOMAIN


I am at a loss to understand the root cause of this issue . I tried uninstalling / re-installing Firefox and renaming cert9.db with much luck.


BEGIN CERTIFICATE-----

MIIGizCCBHOgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAkNB MRAwDgYDVQQIDAdPbnRhcmlvMR4wHAYDVQQKDBVSaWJib24gQ29tbXVuaWNhdGlv bnMxKTAnBgNVBAsMIFJpYmJvbiBDMjAgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSMw IQYDVQQDDBpSaWJib24gQzIwIEludGVybWVkaWF0ZSBDQTAeFw0xODA5MTQwMzA2 MTFaFw0yODEyMjAwMzA2MTFaMF0xCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEP MA0GA1UEBwwGT3R0YXdhMQ8wDQYDVQQKDAZSaWJib24xETAPBgNVBAsMCFNlY3Vy aXR5MQwwCgYDVQQDDANndm0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDdXoa40UF6a2FGZF1qOaBvLq/KXpeDeiNH3lcGvc5poUjZmOIO29GbpNfPzw67 a1dTtleURSeDDD/5jTIoA33/gNLpSTgUODNBKlCS4KJZNs2mJwfFAlRN7adIn/yi aPIHou0iFA3NtK/U41Fau/fEo6CJRehiPdUTpvsCMISICJYcQvywly4N1bynZlLm 3VCfgmvvSJKvUGWmukCUwDz7zIJ9Iy6NypEqvcFL4taa9BTKCj/t+VaByenxnGm9 Lawy99lPGn1lMU16BA6ZroSJdyYctJXD/Ba6NHTGkOp7R+dX+vvId2Ax3uUBdLaF cXwYmfV48CtWtXMn2BAzI8AhAgMBAAGjggIgMIICHDAJBgNVHRMEAjAAMBEGCWCG SAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQg U2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBS/lnccheoSdMSAcI3RZ6HQ/yIt ZjCBtQYDVR0jBIGtMIGqgBShJAKvPFFkDVHb29yQNKcpc+vSeKGBjaSBijCBhzEL MAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xHjAcBgNVBAoMFVJpYmJvbiBD b21tdW5pY2F0aW9uczEpMCcGA1UECwwgUmliYm9uIEMyMCBDZXJ0aWZpY2F0ZSBB dXRob3JpdHkxGzAZBgNVBAMMElJpYmJvbiBDMjAgUm9vdCBDQYICEAAwDgYDVR0P AQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMIHKBgNVHREEgcIwgb+HBKwc 8h6HBKwc8hyHBKwc8hmHBKwc8hiHBKwc8h2CDTE3Mi4yOC4yNDIuMzCCDTE3Mi4y OC4yNDIuMjiCDTE3Mi4yOC4yNDIuMjWCDTE3Mi4yOC4yNDIuMjSCDTE3Mi4yOC4y NDIuMjmCDTE3Mi4yOC4yNDIuMzCCA2NlbYIEY210Z4IZZ3NlYy5vdHQ3Z3ZtMS5n ZW5iYW5kLmNvbYIDZ3ZtghpndndlYi5vdHQ3Z3ZtMS5nZW5iYW5kLmNvbTANBgkq hkiG9w0BAQsFAAOCAgEAMzOSS46TlO9PNPWgAUyaYCYDsFzvVC7gCk6ne2x2z3v6 qfyaANw0a4h2ItQf4CymQ6I9X52LN80u4oc7qF+fW+zDdhiHMx8swGv31h8KiRKu 9fHZrCMWLWJFFHVtnuooK+wMQUWaRbsQDu94EBqmyE66Xg+Gg2cMGqGJ3Oko40kT xaYVogvvIzKqVN6z+h0FjetH9UrmlLAYu+LMem+TD5ddPcDOnKIPUnK6E136xqN9 H2u3pTjRf0aDEIUOj5fTGl5NDRxUSqSqWWlARTd+LkqF/sVi6WHh8qCaEeAOEsvz 8cRLqstV6ZEptXD7cbio2oO8ziGEEW8uLqxMjikesL3GC+D67JyD9NwuuKsalKGR r9+4S1nGhTuZy5BxbRRNbTkzh/gxMkGBHgFJz4fsn4dOX1eF9ZhKDBJdomqV0h91 fcnovlIR6y12a1ZKxo20yFYnmT3g1rW1BoDNVy/8Ob/MsZqWpQLRaZ85gCfsFGDn tc6R5N6FKDUZy0hJosuzFiFxeUHy9sXddc0BZPAswsawHWBn3rDNH/iRH/EHi3G2 bH4Ua5e6KcODjAImQaMPWgtRV8P2iSVAwShEPlbVMyA2uSDmra6g3mXGOBI4VuWS VC0g0wv2H8AdkMR0DdgTFs/JvJtSBwMFWsLKqmRac454F1zPALLNsOKNOdziTW4=


END CERTIFICATE-----
I am testing with a SAN certificate shown at the bottom -- The CN is gvm and contains the SANs 172.28.242.30, 172.28.242.28, 172.28.242.25, 172.28.242.24, 172.28.242.29, 172.28.242.30, 172.28.242.28, 172.28.242.25, 172.28.242.24, 172.28.242.29, 172.28.242.30, cem, cmtg, gsec.ott7gvm1.genband.com, gvm, gvweb.ott7gvm1.genband.com. When I access my website using Firefox 62.4 (on WIndows 8.1) and URL https://172.28.242.25:2443, I get the login page without any warnings. However, using https://gsec.ott7gvm1.genband.com:2443 results in the following warning -- Note that other browsers, IE and Chrome works without this warning. -------------------------------------------------------------- gsec.ott7gvm1.genband.com:2443 uses an invalid security certificate. The certificate is only valid for the following names: 172.28.242.30, 172.28.242.28, 172.28.242.25, 172.28.242.24, 172.28.242.29, 172.28.242.30, 172.28.242.28, 172.28.242.25, 172.28.242.24, 172.28.242.29, 172.28.242.30, cem, cmtg, gsec.ott7gvm1.genband.com, gvm, gvweb.ott7gvm1.genband.com Error code: SSL_ERROR_BAD_CERT_DOMAIN --------------------------------------------------------------------- I am at a loss to understand the root cause of this issue . I tried uninstalling / re-installing Firefox and renaming cert9.db with much luck. -----BEGIN CERTIFICATE----- MIIGizCCBHOgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAkNB MRAwDgYDVQQIDAdPbnRhcmlvMR4wHAYDVQQKDBVSaWJib24gQ29tbXVuaWNhdGlv bnMxKTAnBgNVBAsMIFJpYmJvbiBDMjAgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSMw IQYDVQQDDBpSaWJib24gQzIwIEludGVybWVkaWF0ZSBDQTAeFw0xODA5MTQwMzA2 MTFaFw0yODEyMjAwMzA2MTFaMF0xCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEP MA0GA1UEBwwGT3R0YXdhMQ8wDQYDVQQKDAZSaWJib24xETAPBgNVBAsMCFNlY3Vy aXR5MQwwCgYDVQQDDANndm0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDdXoa40UF6a2FGZF1qOaBvLq/KXpeDeiNH3lcGvc5poUjZmOIO29GbpNfPzw67 a1dTtleURSeDDD/5jTIoA33/gNLpSTgUODNBKlCS4KJZNs2mJwfFAlRN7adIn/yi aPIHou0iFA3NtK/U41Fau/fEo6CJRehiPdUTpvsCMISICJYcQvywly4N1bynZlLm 3VCfgmvvSJKvUGWmukCUwDz7zIJ9Iy6NypEqvcFL4taa9BTKCj/t+VaByenxnGm9 Lawy99lPGn1lMU16BA6ZroSJdyYctJXD/Ba6NHTGkOp7R+dX+vvId2Ax3uUBdLaF cXwYmfV48CtWtXMn2BAzI8AhAgMBAAGjggIgMIICHDAJBgNVHRMEAjAAMBEGCWCG SAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQg U2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBS/lnccheoSdMSAcI3RZ6HQ/yIt ZjCBtQYDVR0jBIGtMIGqgBShJAKvPFFkDVHb29yQNKcpc+vSeKGBjaSBijCBhzEL MAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xHjAcBgNVBAoMFVJpYmJvbiBD b21tdW5pY2F0aW9uczEpMCcGA1UECwwgUmliYm9uIEMyMCBDZXJ0aWZpY2F0ZSBB dXRob3JpdHkxGzAZBgNVBAMMElJpYmJvbiBDMjAgUm9vdCBDQYICEAAwDgYDVR0P AQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMIHKBgNVHREEgcIwgb+HBKwc 8h6HBKwc8hyHBKwc8hmHBKwc8hiHBKwc8h2CDTE3Mi4yOC4yNDIuMzCCDTE3Mi4y OC4yNDIuMjiCDTE3Mi4yOC4yNDIuMjWCDTE3Mi4yOC4yNDIuMjSCDTE3Mi4yOC4y NDIuMjmCDTE3Mi4yOC4yNDIuMzCCA2NlbYIEY210Z4IZZ3NlYy5vdHQ3Z3ZtMS5n ZW5iYW5kLmNvbYIDZ3ZtghpndndlYi5vdHQ3Z3ZtMS5nZW5iYW5kLmNvbTANBgkq hkiG9w0BAQsFAAOCAgEAMzOSS46TlO9PNPWgAUyaYCYDsFzvVC7gCk6ne2x2z3v6 qfyaANw0a4h2ItQf4CymQ6I9X52LN80u4oc7qF+fW+zDdhiHMx8swGv31h8KiRKu 9fHZrCMWLWJFFHVtnuooK+wMQUWaRbsQDu94EBqmyE66Xg+Gg2cMGqGJ3Oko40kT xaYVogvvIzKqVN6z+h0FjetH9UrmlLAYu+LMem+TD5ddPcDOnKIPUnK6E136xqN9 H2u3pTjRf0aDEIUOj5fTGl5NDRxUSqSqWWlARTd+LkqF/sVi6WHh8qCaEeAOEsvz 8cRLqstV6ZEptXD7cbio2oO8ziGEEW8uLqxMjikesL3GC+D67JyD9NwuuKsalKGR r9+4S1nGhTuZy5BxbRRNbTkzh/gxMkGBHgFJz4fsn4dOX1eF9ZhKDBJdomqV0h91 fcnovlIR6y12a1ZKxo20yFYnmT3g1rW1BoDNVy/8Ob/MsZqWpQLRaZ85gCfsFGDn tc6R5N6FKDUZy0hJosuzFiFxeUHy9sXddc0BZPAswsawHWBn3rDNH/iRH/EHi3G2 bH4Ua5e6KcODjAImQaMPWgtRV8P2iSVAwShEPlbVMyA2uSDmra6g3mXGOBI4VuWS VC0g0wv2H8AdkMR0DdgTFs/JvJtSBwMFWsLKqmRac454F1zPALLNsOKNOdziTW4= -----END CERTIFICATE-----

Tất cả các câu trả lời (2)

more options

I don't see any obvious issue, such as an extra subdomain.

Do any of the non-IP hostnames work?

You might want to file a bug for this. The inner workings of parsing the Subject Alt Name field are a little obscure for the support forum volunteers.

https://bugzilla.mozilla.org/

more options

I suspect Firefox does not handle the SANs with both IPs and FQDNs well.

I could do some more testing to see if the SAN order matters and /or specifying the IP as both IPAddress and DNS is causing the issue (the latter is required for IE to recognize IPs as valid SANs!).

But it would be much easier for someone who is familiar with the Firefox implementation to figure it out. I will open a bug report.

I tested with the simplified SAN certificate below (no IPs) and both URLs https://gsec2:2443 and https://gsec.sa2rms.ca.nortel.com:2443 worked.


BEGIN CERTIFICATE-----

MIIF7TCCA9WgAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAkNB MRAwDgYDVQQIDAdPbnRhcmlvMR4wHAYDVQQKDBVSaWJib24gQ29tbXVuaWNhdGlv bnMxKTAnBgNVBAsMIFJpYmJvbiBDMjAgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSMw IQYDVQQDDBpSaWJib24gQzIwIEludGVybWVkaWF0ZSBDQTAeFw0xODA5MTUyMDE4 NTlaFw0yODEyMjEyMDE4NTlaMF8xCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEP MA0GA1UEBwwGT3R0YXdhMQ8wDQYDVQQKDAZSaWJib24xETAPBgNVBAsMCFNlY3Vy aXR5MQ4wDAYDVQQDDAVnc2VjMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMOGR8bPxpAuJwS9B62kEmj8ZS2/bxjG24/oJM5W1toSBb0X+G4qBJY/TOxW G85zo58vwZSDDotEUOlTghkxpHpxDOBAyIJN4n9t+y8eGFN3afWu3tP3YjPF0N9O 2l3qZEZpZEwKW99WPsDOg/0EdPMExZ+f/a7nxfbv/U+kRXYxdlgtuFhGpUXT+S5q 5b/dmXhYSt4rvpaSQEk0bROcgopp5b30dauODp6wlCaPhTDMrwzB/S4pctqPnGdj 4jNOzYxgdV5yfMCKWR9td8B9YL1EbkuRFzGiOOpSmvUx77FajcWsLQ+5J2LT3c1e nrgWzv08PiL1MtIMx3bzBXx75UUCAwEAAaOCAYAwggF8MAkGA1UdEwQCMAAwEQYJ YIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRl ZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFGPADbfxX+72vfFr2pwD6MOF DRu6MIG1BgNVHSMEga0wgaqAFKEkAq88UWQNUdvb3JA0pylz69J4oYGNpIGKMIGH MQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEeMBwGA1UECgwVUmliYm9u IENvbW11bmljYXRpb25zMSkwJwYDVQQLDCBSaWJib24gQzIwIENlcnRpZmljYXRl IEF1dGhvcml0eTEbMBkGA1UEAwwSUmliYm9uIEMyMCBSb290IENBggIQADAOBgNV HQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwKwYDVR0RBCQwIoIZZ3Nl Yy5zYTJybXMuY2Eubm9ydGVsLmNvbYIFZ3NlYzIwDQYJKoZIhvcNAQELBQADggIB AKLUHe0Q9HSENlIuyzx/ZC6QvN8HC8IYMUPvXZoe84i1gS/L3xxZys1nCUCmREA6 DUpcoWNzdWTx6elyXxyieNBdKeGslVvtJcyWLL4CfnuULW7gr3qPc3W+eQaqOIF9 33Q5UYlVsd7w+aYL90mBDsE1Y7s/aHRQgK6OcnyV7xJhMZUsDM96OsZiBkUZnedN D3OackCtR0s3uvkgsmPl0sDbjSlNqfDU8ruGkPvySthTi/+JJCfwy1k/1xgLU1/Q 3Ffz3n5DMZGBg2KKaI58hRPoOLRnO9ha1CvVtUhqolTYwLlF5xycMPFvS1tm5Y2O SsbHzO8dvKY3LmIck4lQs1SkQNI6/iOu4eIZYR+DIt8r+rqh59OJ/hpk0U4PsS88 ehaPdRtRO46nwQ96TafrQtxPFa3t+h9pqMTpGun5VyQSE6dbNXL6f8C0/0aD4+8d ykI+6HLnafurEZNfjbIY8LoJjtwGsgjxilPR/aHVCNmWrYLJ7M+sRxh0D/tk4el9 Lc7Y2b3LqvTZ9HY8ApCzVWzJjdeAVv4NKREJyuqhXtXJ4O7PNgBjKHZHFPSxBtZV vYfOfuuBgv2POzxQpt/qkJaIlHT56qktxtknftT4GzGP1FdUwiDtIn1TaX5HSAN4 sTJB1XNIt/xE5qnxeJT0SxKonHrGDJS2FNF2PhgNdRAM


END CERTIFICATE-----

However, the following would generate SSL_ERROR_BAD_CERT_DOMAIN for the above URLs with the following certificate.


BEGIN CERTIFICATE-----

MIIGADCCA+igAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAkNB MRAwDgYDVQQIDAdPbnRhcmlvMR4wHAYDVQQKDBVSaWJib24gQ29tbXVuaWNhdGlv bnMxKTAnBgNVBAsMIFJpYmJvbiBDMjAgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSMw IQYDVQQDDBpSaWJib24gQzIwIEludGVybWVkaWF0ZSBDQTAeFw0xODA5MTUxOTUz MzBaFw0yODEyMjExOTUzMzBaMF4xCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEP MA0GA1UEBwwGT3R0YXdhMQ8wDQYDVQQKDAZSaWJib24xETAPBgNVBAsMCFNlY3Vy aXR5MQ0wCwYDVQQDDARnc2VjMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAvNEktDRnDrove64x4FrF8rdrnnq58QNkSh2PitQODyeoDATNJSYO6XHZcpfj HTRun3XAIxNHaygBpegLvVdoi2yTuV5wQ3w9xmZxa/nayKu61cPxmfplvyu0ojVM 3vAqLoZBaGkhxx7hufpofs3KFkLte3VKy+ruoLVAlzsH8wiCitw6+H/2vBCqPNds MO0oYMvp0c4ZWV8WreQ4vFSrk/BzsQpazLggRqFfs9DcJ0/RkAI/ehFU0Hlyblk5 CnE81YhhVD+XOAERXBXgVU/KnP3WoH7NAz0+SsqxE1S/S5zWCOA+p9aiyIf1AL1m vDGJU/VqXOOnYiDjG+7UG9HCEwIDAQABo4IBlDCCAZAwCQYDVR0TBAIwADARBglg hkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVk IFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUo3h35aWdaH8y5sx0wR5s9kpH ug8wgbUGA1UdIwSBrTCBqoAUoSQCrzxRZA1R29vckDSnKXPr0nihgY2kgYowgYcx CzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMR4wHAYDVQQKDBVSaWJib24g Q29tbXVuaWNhdGlvbnMxKTAnBgNVBAsMIFJpYmJvbiBDMjAgQ2VydGlmaWNhdGUg QXV0aG9yaXR5MRswGQYDVQQDDBJSaWJib24gQzIwIFJvb3QgQ0GCAhAAMA4GA1Ud DwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATA/BgNVHREEODA2hwSsHPIZ gg0xNzIuMjguMjQyLjI1ghlnc2VjLnNhMnJtcy5jYS5ub3J0ZWwuY29tggRnc2Vj MA0GCSqGSIb3DQEBCwUAA4ICAQB/jVHhmr/HFgjw7xdhweNexYEK9gB0EHJWwrbq C/llD+ha5g/2EhI6UaM679MneM3scrwwOM7VtzcUto5Jc11sp00dsUe3S7TxDHyG 1zG9yOeHn1JEQz04XykZFqj8H2ZeGQ0GZX3CMCdCTVgc1CJvZzcPEyObFU1B8kuD 5WSpakvFGr8j7AVTpZwrSLn2z/RJFn+UiTRQ8pHvmv0T+E8B/mLuqnITFx1OHADE E3Zkbf+3PUbEOYw1R7LfcyOyt56AsAPNhQD3eej/KEES2+qq7w3sDkrCkKwRsf6M gtmX52ygtHq0SikJ53PyYUnGe/p/mR9Biu67rfRt1EpyhlW0btLe8CbarGxV0GIj vZZg+cgVvaLqCganBQwHbp0du6/4zKQ+ICiHA7dzC7sgwu1eKaiqk35ggdva4aBc pfy6d/zmkISvOhPtMknFtjA8if8wrLczBTVZuajfN+/xV1NdvAY1Ckq13tL7u0sc 3t1W3GQelRjMc8j+Vz8Vv6vglp1Ij3MiPgVSdTNdz1URJG0AbGAfcIY0vRfMokZa kkDFvw23gbYVj4Dlhi5tWT+gEvB78MJwFmIGQiFRZhIT0tIUTrSBe1wAbupU6AOF BJFwsiF9uFiCJs6jo1puJwF8RB9YOq0SufGH7Yk26XfJlG4DLhfMmTBnypf4iJAE RYNRFA==


END CERTIFICATE-----