Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 4 users
Status: Duplicate
Merged: issue 700595
Owner: ----
Closed: Mar 10
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment
ERR_CERT_COMMON_NAME_INVALID in canary but not in stable channel
Reported by crimpcli...@gmail.com, Mar 10 Back to list
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3036.0 Safari/537.36

Steps to reproduce the problem:
1. Create a self signed certificate
2. Open website in canary channel
3. look at the screen

What is the expected behavior?
Chrome trusts the self signed certificate 

What went wrong?
ERR_CERT_COMMON_NAME_INVALID (Your connection is not private warning)

Something has changed today since the warning does not show on a stable channel of Chrome and it was working fine yesterday. 

Happy to include any other information (I know this is probably vague) since I'm not very familiar with SSL certs in general or how to debug this. I do know that this setup worked in the past and only today stopped working in chrome's canary build.

Did this work before? Yes yesterday :)

Chrome version: 59.0.3036.0  Channel: canary
OS Version: OS X 10.11.6
Flash Version:

 
Cc: elawre...@chromium.org
Components: Internals>Network>SSL
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Needs-Feedback Type-Bug
Typically, this would occur if the certificate name did not match the hostname of the site.

Please capture a network log of an attempt to load the target site: https://dev.chromium.org/for-testers/providing-network-details and attach it to the bug.

Thanks!
Components: -Internals>Network>SSL Internals>Network>Certificate
(I'm guessing this is the common name deprecation, but let's wait for the net-internals.)
Yeah, https://www.chromestatus.com/features/4981025180483584 covers this deprecation, which is rolling out in Chrome 58
net-internals attached, thanks all.
chrome-net-export-log.json
79.7 KB View Download
Project Member Comment 5 by sheriffbot@chromium.org, Mar 10
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
FWIW, I also got bitten by this bug when trying to access my local dev site over HTTPS, I suspect other developers that copy and paste OpenSSL commands from various sites will hit this too.

It doesn't help that Chrome's error message is very confusing too.
confusing.png
130 KB View Download
Status: WontFix
The certificate attached lacks a commonName, so this is https://www.chromestatus.com/features/4981025180483584

As noted there and the Intent to Deprecate and Remove, the commonName field in a certificate is not strongly typed, has been deprecated for 17 years, and creates security risks. Support has been disabled by default in Chrome 58.

For internal enterprises needing support, "EnableCommonNameFallbackForLocalAnchors" exists as an enterprise policy that can be set. OTherwise, certificates should comply with the HTTPS RFC.
Thanks for the quick and detailed response! I'm developing on my local macbook, so I guess i'll need to do some googling for how to set a commonName in a self signed cert. Thanks :)
More precisely, you need to add a subjectAltName to your certificate.
To save time for anyone stumbling upon this thread, I used this OpenSSL config and changed the alternate_names section: https://stackoverflow.com/a/27931596

And then generated the new certificates with:

openssl req -config /path/to/your.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout key.pem -days 365 -out cert.pem

Works great and Chrome is no longer complaining :)
Mergedinto: 700595
Status: Duplicate
Comment 12 Deleted
Could someone inform of how to enable "EnableCommonNameFallbackForLocalAnchors" on a Chromebook that is not a part of an enterprise?
So, if one has added the SubjectAltName and installed the new certificate on the local dev servers, does that have any impact on existing self signed cert's on the server? Seems post installation of new SSL cert, X509 certs are failing.
Re #15: It's not clear what question you're asking. Generally speaking, Web Servers with multiple certificates treat them independently and unless misconfigured, changing the certificate for one hostname on the server will not impact connections to any other host on that server.
Sign in to add a comment