Avatar for Username

Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Learn More

Chủ đề này đã được lưu trữ. Vui lòng hỏi một câu hỏi mới nếu bạn cần giúp đỡ.

Few days ago (after an update) FF simply refused to accept my self-signed certificate anymore

  • 2 trả lời
  • 1 gặp vấn đề này
  • 132 lượt xem
  • Trả lời mới nhất được viết bởi KpuCko

KpuCko
KpuCko
more options

Hello, Few days ago I noticed that Firefox started complaining about self-signed certificate issues, although I added my CA certificate to authorities months ago. It worked without any problem, but now I'm unable to open any of my internal sites anymore.

I tried to open a random site in Chrome, but the same issue. So you immediately will say the is in the certificate, but wait. I have few VMs running on Virtualbox, so I decided to test in there. Guess what, no issues at all. I tried in Fedora 25 (the Firefox version is below 100), then tried Windows 100. Both worked. Then I decided to update FF to the latest version, guess what - it broke again =]]

So something has changed, but I really don't have a clue what causes the issue. I attach the screenshot of detailed CA view from Firefox.

Hello, Few days ago I noticed that Firefox started complaining about self-signed certificate issues, although I added my CA certificate to authorities months ago. It worked without any problem, but now I'm unable to open any of my internal sites anymore. I tried to open a random site in Chrome, but the same issue. So you immediately will say the is in the certificate, but wait. I have few VMs running on Virtualbox, so I decided to test in there. Guess what, no issues at all. I tried in Fedora 25 (the Firefox version is below 100), then tried Windows 100. Both worked. Then I decided to update FF to the latest version, guess what - it broke again =]] So something has changed, but I really don't have a clue what causes the issue. I attach the screenshot of detailed CA view from Firefox.
Đính kèm ảnh chụp màn hình

Giải pháp được chọn

It must be due to removed "subject common name" fallback support from certificate validation. This fallback mode was previously enabled only for manually installed certificates. The CA Browser Forum Baseline Requirements have required the presence of the "subjectAltName" extension since 2012, and use of the subject common name was deprecated in RFC 2818.

Firefox from 101.0 onward no longer use certificate CN (Common Name) for matching domain name to certificate and have migrated to only using SAN (Subject Alternate Name) so if you self sign for internal devices you’ll need to regenerate.

Đọc câu trả lời này trong ngữ cảnh 👍 1

Tất cả các câu trả lời (2)

TyDraniu
TyDraniu
  • Top 25 Contributor
more options

Giải pháp được chọn

It must be due to removed "subject common name" fallback support from certificate validation. This fallback mode was previously enabled only for manually installed certificates. The CA Browser Forum Baseline Requirements have required the presence of the "subjectAltName" extension since 2012, and use of the subject common name was deprecated in RFC 2818.

Firefox from 101.0 onward no longer use certificate CN (Common Name) for matching domain name to certificate and have migrated to only using SAN (Subject Alternate Name) so if you self sign for internal devices you’ll need to regenerate.

Được chỉnh sửa bởi TyDraniu vào

KpuCko
KpuCko Người tạo câu hỏi
more options

Hm, I think I saw something like "Subject Alternate Name" when I opened an internal site in Chrome.

So, let's see do I get it right - I need to recreate the CA certificate but instead using CN, I have to use SAN, right? The rest is the same?

What this means, will I be able to use again wildcard certificates for my internal sites, or I have to issue personal certificate for every site with specified SAN?

Sorry for my newbie questions, but I'm not certificate guru ;-=)

Được chỉnh sửa bởi KpuCko vào