New issue
Advanced search Search tips
Starred by 4 users

Issue metadata

Status: Duplicate
Merged: issue 700595
Owner: ----
Closed: Mar 2017
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug

Sign in to add a comment

Issue 700235: ERR_CERT_COMMON_NAME_INVALID in canary but not in stable channel

Reported by, Mar 10 2017

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3036.0 Safari/537.36

Steps to reproduce the problem:
1. Create a self signed certificate
2. Open website in canary channel
3. look at the screen

What is the expected behavior?
Chrome trusts the self signed certificate 

What went wrong?
ERR_CERT_COMMON_NAME_INVALID (Your connection is not private warning)

Something has changed today since the warning does not show on a stable channel of Chrome and it was working fine yesterday. 

Happy to include any other information (I know this is probably vague) since I'm not very familiar with SSL certs in general or how to debug this. I do know that this setup worked in the past and only today stopped working in chrome's canary build.

Did this work before? Yes yesterday :)

Chrome version: 59.0.3036.0  Channel: canary
OS Version: OS X 10.11.6
Flash Version:

Comment 1 by, Mar 10 2017

Components: Internals>Network>SSL
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Needs-Feedback Type-Bug
Typically, this would occur if the certificate name did not match the hostname of the site.

Please capture a network log of an attempt to load the target site: and attach it to the bug.


Comment 2 by, Mar 10 2017

Components: -Internals>Network>SSL Internals>Network>Certificate
(I'm guessing this is the common name deprecation, but let's wait for the net-internals.)

Comment 3 by, Mar 10 2017

Yeah, covers this deprecation, which is rolling out in Chrome 58

Comment 4 by, Mar 10 2017

net-internals attached, thanks all.
79.7 KB View Download

Comment 5 by, Mar 10 2017

Project Member
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "" to the cc list and removing "Needs-Feedback" label.

For more details visit - Your friendly Sheriffbot

Comment 6 by, Mar 10 2017

FWIW, I also got bitten by this bug when trying to access my local dev site over HTTPS, I suspect other developers that copy and paste OpenSSL commands from various sites will hit this too.

It doesn't help that Chrome's error message is very confusing too.
130 KB View Download

Comment 7 by, Mar 10 2017

Status: WontFix (was: Unconfirmed)
The certificate attached lacks a commonName, so this is

As noted there and the Intent to Deprecate and Remove, the commonName field in a certificate is not strongly typed, has been deprecated for 17 years, and creates security risks. Support has been disabled by default in Chrome 58.

For internal enterprises needing support, "EnableCommonNameFallbackForLocalAnchors" exists as an enterprise policy that can be set. OTherwise, certificates should comply with the HTTPS RFC.

Comment 8 by, Mar 10 2017

Thanks for the quick and detailed response! I'm developing on my local macbook, so I guess i'll need to do some googling for how to set a commonName in a self signed cert. Thanks :)

Comment 9 by, Mar 10 2017

More precisely, you need to add a subjectAltName to your certificate.

Comment 10 by, Mar 10 2017

To save time for anyone stumbling upon this thread, I used this OpenSSL config and changed the alternate_names section:

And then generated the new certificates with:

openssl req -config /path/to/your.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout key.pem -days 365 -out cert.pem

Works great and Chrome is no longer complaining :)

Comment 11 by, Mar 11 2017

Mergedinto: 700595
Status: Duplicate (was: WontFix)

Comment 12 Deleted

Comment 13 by, Mar 28 2017

Comment 14 by, Apr 1 2017

Could someone inform of how to enable "EnableCommonNameFallbackForLocalAnchors" on a Chromebook that is not a part of an enterprise?

Comment 15 by, Jul 30 2017

So, if one has added the SubjectAltName and installed the new certificate on the local dev servers, does that have any impact on existing self signed cert's on the server? Seems post installation of new SSL cert, X509 certs are failing.

Comment 16 by, Jul 30 2017

Re #15: It's not clear what question you're asking. Generally speaking, Web Servers with multiple certificates treat them independently and unless misconfigured, changing the certificate for one hostname on the server will not impact connections to any other host on that server.

Comment 17 by, Dec 25

does that have any impact on existing self signed cert's on the server? Seems post installation of new SSL cert

Sign in to add a comment