Created self signed Certificate working with curl but not with chrome

Architecture:
VM- 10.0.0.50
local computer

I named the CN and put 10.0.0.50 as the IP of in /etc/hosts.

When I curl I get the HTML (if I curl the IP it returns a CA not valid which is correct)

If I try to access the site on google chrome tho it puts a site not safe warning with the error code:NET::ERR_CERT_COMMON_NAME_INVALID

I put the same certificate file in the /etc/pki/ca-trust/source/anchors folder and in the authorities segment in google chrome (under settings etc..)

Commands used to create the certificate-

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

/etc/httpd/conf.d/ssl.conf file:

<VirtualHost
ServerAdmin
DocumentRoot /var/www/html
ServerName
ErrorLog /var/log/httpd/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
SSLUseStapling off
</VirtualHost>

This is the output of openssl x509 -in ./certs/apache-selfsigned.crt -text:

Certificate: Data: Version: 3 (0x2) Serial Number: 60:d3:b5:d4:71:01:53:e7:bd:a9:3c:8e:93:6f:49:73:21:34:b6:d8 Signature Algorithm: sha256WithRSAEncryption Issuer: C = IL, ST = Tel-Aviv, L = TLV, O = Ben Ltd, OU = Ben Ltd, CN = Validity Not Before: May 26 08:49:48 2021 GMT Not After : May 26 08:49:48 2022 GMT Subject: C = IL, ST = Tel-Aviv, L = TLV, O = Ben Ltd, OU = Ben Ltd, CN = Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:9e:b3:dd:4f:4b:e6:5c:ae:80:17:b6:58:86:4a: 9a:61:c9:76:c4:cf:d5:75:10:af:15:0a:e2:24:1a: 73:c6:5d:9d:77:33:79:60:0b:8d:cf:78:a1:f7:14: a4:c2:dc:0a:e7:dc:d9:e6:e2:f1:92:33:1c:24:d9: a5:b9:7d:08:f3:f9:78:06:0d:b8:cd:f3:40:8d:de: 95:6f:dd:f8:b3:89:89:8b:34:ec:d8:13:e0:d4:78: 1e:a5:a4:c1:2b:c6:ca:78:d4:d9:1a:87:da:a5:f5: 1d:07:40:b0:6c:1d:69:12:61:8a:59:16:03:c6:d3: 18:b9:8f:12:25:cc:e0:9b:d8:a1:1e:a1:34:e8:af: 58:a8:19:f8:29:f4:9e:a0:29:52:13:8d:3f:5e:4e: 17:f1:10:1c:1c:df:45:05:41:99:4a:fa:98:bf:d3: 2f:f9:cb:25:a2:69:1f:a3:ab:09:b9:f2:02:0d:dc: f4:0a:1b:36:a0:be:cd:f0:2e:27:16:b1:88:a3:b2: 6f:49:d7:1e:b3:ac:04:3b:47:b3:a1:2b:83:e4:d1: 6f:e1:00:4d:4a:12:43:44:8d:0c:4c:4d:e6:00:0b: a2:86:9e:ba:d8:43:25:0e:28:71:9b:e8:3b:d7:4e: 96:71:94:7a:b1:ee:cc:de:ba:ef:ce:74:e9:e7:c3: 30:df Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 70:CE:7D:E3:E5:5A:A6:A6:7D:3A:66:5E:35:DE:35:9A:78:0B:24:D8 X509v3 Authority Key Identifier: keyid:70:CE:7D:E3:E5:5A:A6:A6:7D:3A:66:5E:35:DE:35:9A:78:0B:24:D8 X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 62:bd:c0:f1:9f:67:60:24:dd:7a:46:71:ae:39:a4:c1:85:f1: d9:3b:99:6b:e7:e0:1f:52:af:f0:e4:98:5c:e5:0e:e8:8a:09: b9:3f:44:0c:69:64:93:69:13:ea:01:e3:6c:7d:c2:2a:d8:5b: c9:bc:6b:33:be:d5:0c:77:9e:9a:9b:4f:35:5b:87:01:95:72: c9:45:1f:25:66:8f:24:df:bc:a1:16:08:a3:f3:c2:d7:80:f6: 0b:b5:31:2d:d7:48:28:5d:0f:93:f1:b1:9b:2a:ed:44:4f:69: f5:90:cf:05:af:a7:63:d3:78:85:86:5e:15:2b:7d:07:6b:24: 63:c9:f8:3d:7d:da:93:6e:71:d5:ef:59:ab:1c:c9:d9:38:71: 32:e8:9e:ca:14:6d:ee:2a:65:72:5e:5f:e9:e6:0e:d3:8c:6d: 5d:65:38:b2:b2:84:0d:f9:6a:98:d6:2f:c8:1e:a1:b7:c1:ba: d3:b4:d9:2b:57:e7:0c:47:2f:84:15:5c:42:2c:62:98:9e:1c: ab:9c:70:36:be:1a:3e:69:1c:18:15:c3:a7:27:b7:a4:bd:91: b2:5e:96:b5:32:e3:0a:f4:c3:90:12:59:95:aa:9e:be:cd:5f: bc:6a:2c:e0:3f:5a:d6:a8:83:6e:65:21:0b:aa:fc:f0:1d:6f: 09:f9:73:78
-----BEGIN CERTIFICATE-----
MIIDsTCCApmgAwIBAgIUYNO11HEBU+e9qTyOk29JcyE0ttgwDQYJKoZIhvcNAQEL
BQAwaDELMAkGA1UEBhMCSUwxETAPBgNVBAgMCFRlbC1Bdml2MQwwCgYDVQQHDANU
TFYxEDAOBgNVBAoMB0JlbiBMdGQxEDAOBgNVBAsMB0JlbiBMdGQxFDASBgNVBAMM
C3d3dy5iZW4uY29tMB4XDTIxMDUyNjA4NDk0OFoXDTIyMDUyNjA4NDk0OFowaDEL
MAkGA1UEBhMCSUwxETAPBgNVBAgMCFRlbC1Bdml2MQwwCgYDVQQHDANUTFYxEDAO
BgNVBAoMB0JlbiBMdGQxEDAOBgNVBAsMB0JlbiBMdGQxFDASBgNVBAMMC3d3dy5i
ZW4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnrPdT0vmXK6A
F7ZYhkqaYcl2xM/VdRCvFQriJBpzxl2ddzN5YAuNz3ih9xSkwtwK59zZ5uLxkjMc
JNmluX0I8/l4Bg24zfNAjd6Vb934s4mJizTs2BPg1HgepaTBK8bKeNTZGofapfUd
B0CwbB1pEmGKWRYDxtMYuY8SJczgm9ihHqE06K9YqBn4KfSeoClSE40/Xk4X8RAc
HN9FBUGZSvqYv9Mv+cslomkfo6sJufICDdz0Chs2oL7N8C4nFrGIo7JvSdces6wE
O0ezoSuD5NFv4QBNShJDRI0MTE3mAAuihp662EMlDihxm+g7106WcZR6se7M3rrv
znTp58Mw3wIDAQABo1MwUTAdBgNVHQ4EFgQUcM594+VapqZ9OmZeNd41mngLJNgw
HwYDVR0jBBgwFoAUcM594+VapqZ9OmZeNd41mngLJNgwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEAYr3A8Z9nYCTdekZxrjmkwYXx2TuZa+fgH1Kv
8OSYXOUO6IoJuT9EDGlkk2kT6gHjbH3CKthbybxrM77VDHeemptPNVuHAZVyyUUf
JWaPJN+8oRYIo/PC14D2C7UxLddIKF0Pk/GxmyrtRE9p9ZDPBa+nY9N4hYZeFSt9
B2skY8n4PX3ak25x1e9ZqxzJ2ThxMuieyhRt7iplcl5f6eYO04xtXWU4srKEDflq
mNYvyB6ht8G607TZK1fnDEcvhBVcQiximJ4cq5xwNr4aPmkcGBXDpye3pL2Rsl6W
tTLjCvTDkBJZlaqevs1fvGos4D9a1qiDbmUhC6r88B1vCflzeA==
-----END CERTIFICATE-----

output of (both in VM(10.0.0.50) and localhost the fedora computer)curl :

<h1>Test Page</h1>
<h1>IP is: 10.0.0.50</h1>

aka the HTML on the website.

Google chrome error output:

Your connection is not private
Attackers might be trying to steal your information from (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
To get Chrome’s highest level of security, turn on enhanced protection
This server could not prove that it is its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.
Proceed to (unsafe)

When i do the command:

openssl req -new -subj "/C=IL/CN=" \ -addext "subjectAltName = DNS:" \ -addext "certificatePolicies = 1.2.3.4" \ -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

I get:

Error Loading command line extensions
140221663946560:error:0D064083:asn1 encoding routines:a2d_ASN1_OBJECT:invalid separator:crypto/asn1/a_object.c:87:
140221663946560:error:2208206E:X509 V3 routines:r2i_certpol:invalid object identifier:crypto/x509v3/v3_cpols.c:141:section:<NULL>,name:10.0.0.50,value:<NULL>
140221663946560:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=certificatePolicies, value=10.0.0.50

After using the command and doing systemctl restart httpd i get the next error in the /var/log/httpd/error_log file:

[Wed May 26 15:14:21.750982 2021] [ssl:emerg] [pid 37460:tid 140170087201088] AH02562: Failed to configure certificate (with chain), check /etc/ssl/certs/apache-selfsigned.crt
[Wed May 26 15:14:21.750994 2021] [ssl:emerg] [pid 37460:tid 140170087201088] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
4

1 Answer

Your certificate is invalid for Chrome as it only contains a common name but not an Subject Alternative Name (subjectAltName).

Since Chrome 58 Google blocks certificates that don't contain an Subject Alternative Name:

Therefore you have to add an Subject Alternative Name extension to your certificate specifying the domain name.

3

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like