On Aug 14th 11 PM ET/Aug 15th 03:00 UTC, due to scheduled Firefox Account server maintenance, users may not be able to sign in or create a new subscription. This is expected to last approximately 30 minutes. Status updates can be found at https://status.vpn.mozilla.org or https://status.relay.firefox.com.

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

Learn More

Firefox 101.1 Says "SSL_ERROR_BAD_CERT_DOMAIN"

  • 5 回覆
  • 2 有這個問題
  • 841 次檢視
  • 最近回覆由 rpmurph83

more options

Getting error SSL_ERROR_BAD_CERT_DOMAIN on all my sites that are signed with a SSL Cert from my internal CA since updating past version 99

This appears to be a bug starting after Firefox version 99 on Windows because after i upgraded to Firefox version 100 i started getting this on all my SSL Certs from my CA and they worked fine prior to the update. Can anyone confirm if something changed after version 100 that is causing this?

Thank you.

Getting error SSL_ERROR_BAD_CERT_DOMAIN on all my sites that are signed with a SSL Cert from my internal CA since updating past version 99 This appears to be a bug starting after Firefox version 99 on Windows because after i upgraded to Firefox version 100 i started getting this on all my SSL Certs from my CA and they worked fine prior to the update. Can anyone confirm if something changed after version 100 that is causing this? Thank you.

被選擇的解決方法

It must be due to removed "subject common name" fallback support from certificate validation. This fallback mode was previously enabled only for manually installed certificates. The CA Browser Forum Baseline Requirements have required the presence of the "subjectAltName" extension since 2012, and use of the subject common name was deprecated in RFC 2818.

Firefox from 101.0 onward no longer use certificate CN (Common Name) for matching domain name to certificate and have migrated to only using SAN (Subject Alternate Name) so if you self sign for internal devices you’ll need to regenerate.

從原來的回覆中察看解決方案 👍 2

所有回覆 (5)

more options

選擇的解決方法

It must be due to removed "subject common name" fallback support from certificate validation. This fallback mode was previously enabled only for manually installed certificates. The CA Browser Forum Baseline Requirements have required the presence of the "subjectAltName" extension since 2012, and use of the subject common name was deprecated in RFC 2818.

Firefox from 101.0 onward no longer use certificate CN (Common Name) for matching domain name to certificate and have migrated to only using SAN (Subject Alternate Name) so if you self sign for internal devices you’ll need to regenerate.

有幫助嗎?

more options

So I added the SAN to the newly generated cert because as you mentioned since the SAN is now required. However, now it comes back with Error code: "SEC_ERROR_UNKNOWN_ISSUER." What's weird is both Edge and Chrome were complaining about the cert prior to adding the SAN. Once it was added, Edge and Chrome stopped complaining, but Firefox is still throwing errors.

有幫助嗎?

more options

I think the second issue was due to a corrupted Firefox profile. I completely removed Firefox, rebooted, reinstalled 101.1, and then synced my accounts and all appears to be good now since adding the SAN. Thanks again for the reminder about the SAN requirement.

有幫助嗎?

more options

Note that it might have been sufficient to rename/remove cert9.db in the Firefox profile folder to cleanup the certificate storage.

有幫助嗎?

more options

Thanks for the tip, that makes sense seeing the issue after generating the new cert with SAN. Definitely going in my OneNote!

有幫助嗎?

問個問題

如果您還沒有帳號,您必須先 登入您的帳號 來回覆文章。請 開始一個新問題