0

Architecture:
VM- 10.0.0.50
local computer

I named the CN www.ben.com and put 10.0.0.50 as the IP of www.ben.com in /etc/hosts.

When I curl https://www.ben.com I get the HTML (if I curl the IP it returns a CA not valid which is correct)

If I try to access the site on google chrome tho it puts a site not safe warning with the error code: NET::ERR_CERT_COMMON_NAME_INVALID

I put the same certificate file in the /etc/pki/ca-trust/source/anchors folder and in the authorities segment in google chrome (under settings etc..)

Commands used to create the certificate-

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

/etc/httpd/conf.d/ssl.conf file:

<VirtualHost www.ben.com:443>  
ServerAdmin webmaster@ssl-tutorials.com
DocumentRoot /var/www/html
ServerName www.ben.com:443
ErrorLog /var/log/httpd/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
SSLUseStapling off
</VirtualHost>

This is the output of openssl x509 -in ./certs/apache-selfsigned.crt -text:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            60:d3:b5:d4:71:01:53:e7:bd:a9:3c:8e:93:6f:49:73:21:34:b6:d8
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IL, ST = Tel-Aviv, L = TLV, O = Ben Ltd, OU = Ben Ltd, CN = www.ben.com
        Validity
            Not Before: May 26 08:49:48 2021 GMT
            Not After : May 26 08:49:48 2022 GMT
        Subject: C = IL, ST = Tel-Aviv, L = TLV, O = Ben Ltd, OU = Ben Ltd, CN = www.ben.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9e:b3:dd:4f:4b:e6:5c:ae:80:17:b6:58:86:4a:
                    9a:61:c9:76:c4:cf:d5:75:10:af:15:0a:e2:24:1a:
                    73:c6:5d:9d:77:33:79:60:0b:8d:cf:78:a1:f7:14:
                    a4:c2:dc:0a:e7:dc:d9:e6:e2:f1:92:33:1c:24:d9:
                    a5:b9:7d:08:f3:f9:78:06:0d:b8:cd:f3:40:8d:de:
                    95:6f:dd:f8:b3:89:89:8b:34:ec:d8:13:e0:d4:78:
                    1e:a5:a4:c1:2b:c6:ca:78:d4:d9:1a:87:da:a5:f5:
                    1d:07:40:b0:6c:1d:69:12:61:8a:59:16:03:c6:d3:
                    18:b9:8f:12:25:cc:e0:9b:d8:a1:1e:a1:34:e8:af:
                    58:a8:19:f8:29:f4:9e:a0:29:52:13:8d:3f:5e:4e:
                    17:f1:10:1c:1c:df:45:05:41:99:4a:fa:98:bf:d3:
                    2f:f9:cb:25:a2:69:1f:a3:ab:09:b9:f2:02:0d:dc:
                    f4:0a:1b:36:a0:be:cd:f0:2e:27:16:b1:88:a3:b2:
                    6f:49:d7:1e:b3:ac:04:3b:47:b3:a1:2b:83:e4:d1:
                    6f:e1:00:4d:4a:12:43:44:8d:0c:4c:4d:e6:00:0b:
                    a2:86:9e:ba:d8:43:25:0e:28:71:9b:e8:3b:d7:4e:
                    96:71:94:7a:b1:ee:cc:de:ba:ef:ce:74:e9:e7:c3:
                    30:df
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                70:CE:7D:E3:E5:5A:A6:A6:7D:3A:66:5E:35:DE:35:9A:78:0B:24:D8
            X509v3 Authority Key Identifier: 
                keyid:70:CE:7D:E3:E5:5A:A6:A6:7D:3A:66:5E:35:DE:35:9A:78:0B:24:D8

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         62:bd:c0:f1:9f:67:60:24:dd:7a:46:71:ae:39:a4:c1:85:f1:
         d9:3b:99:6b:e7:e0:1f:52:af:f0:e4:98:5c:e5:0e:e8:8a:09:
         b9:3f:44:0c:69:64:93:69:13:ea:01:e3:6c:7d:c2:2a:d8:5b:
         c9:bc:6b:33:be:d5:0c:77:9e:9a:9b:4f:35:5b:87:01:95:72:
         c9:45:1f:25:66:8f:24:df:bc:a1:16:08:a3:f3:c2:d7:80:f6:
         0b:b5:31:2d:d7:48:28:5d:0f:93:f1:b1:9b:2a:ed:44:4f:69:
         f5:90:cf:05:af:a7:63:d3:78:85:86:5e:15:2b:7d:07:6b:24:
         63:c9:f8:3d:7d:da:93:6e:71:d5:ef:59:ab:1c:c9:d9:38:71:
         32:e8:9e:ca:14:6d:ee:2a:65:72:5e:5f:e9:e6:0e:d3:8c:6d:
         5d:65:38:b2:b2:84:0d:f9:6a:98:d6:2f:c8:1e:a1:b7:c1:ba:
         d3:b4:d9:2b:57:e7:0c:47:2f:84:15:5c:42:2c:62:98:9e:1c:
         ab:9c:70:36:be:1a:3e:69:1c:18:15:c3:a7:27:b7:a4:bd:91:
         b2:5e:96:b5:32:e3:0a:f4:c3:90:12:59:95:aa:9e:be:cd:5f:
         bc:6a:2c:e0:3f:5a:d6:a8:83:6e:65:21:0b:aa:fc:f0:1d:6f:
         09:f9:73:78
-----BEGIN CERTIFICATE-----
MIIDsTCCApmgAwIBAgIUYNO11HEBU+e9qTyOk29JcyE0ttgwDQYJKoZIhvcNAQEL
BQAwaDELMAkGA1UEBhMCSUwxETAPBgNVBAgMCFRlbC1Bdml2MQwwCgYDVQQHDANU
TFYxEDAOBgNVBAoMB0JlbiBMdGQxEDAOBgNVBAsMB0JlbiBMdGQxFDASBgNVBAMM
C3d3dy5iZW4uY29tMB4XDTIxMDUyNjA4NDk0OFoXDTIyMDUyNjA4NDk0OFowaDEL
MAkGA1UEBhMCSUwxETAPBgNVBAgMCFRlbC1Bdml2MQwwCgYDVQQHDANUTFYxEDAO
BgNVBAoMB0JlbiBMdGQxEDAOBgNVBAsMB0JlbiBMdGQxFDASBgNVBAMMC3d3dy5i
ZW4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnrPdT0vmXK6A
F7ZYhkqaYcl2xM/VdRCvFQriJBpzxl2ddzN5YAuNz3ih9xSkwtwK59zZ5uLxkjMc
JNmluX0I8/l4Bg24zfNAjd6Vb934s4mJizTs2BPg1HgepaTBK8bKeNTZGofapfUd
B0CwbB1pEmGKWRYDxtMYuY8SJczgm9ihHqE06K9YqBn4KfSeoClSE40/Xk4X8RAc
HN9FBUGZSvqYv9Mv+cslomkfo6sJufICDdz0Chs2oL7N8C4nFrGIo7JvSdces6wE
O0ezoSuD5NFv4QBNShJDRI0MTE3mAAuihp662EMlDihxm+g7106WcZR6se7M3rrv
znTp58Mw3wIDAQABo1MwUTAdBgNVHQ4EFgQUcM594+VapqZ9OmZeNd41mngLJNgw
HwYDVR0jBBgwFoAUcM594+VapqZ9OmZeNd41mngLJNgwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEAYr3A8Z9nYCTdekZxrjmkwYXx2TuZa+fgH1Kv
8OSYXOUO6IoJuT9EDGlkk2kT6gHjbH3CKthbybxrM77VDHeemptPNVuHAZVyyUUf
JWaPJN+8oRYIo/PC14D2C7UxLddIKF0Pk/GxmyrtRE9p9ZDPBa+nY9N4hYZeFSt9
B2skY8n4PX3ak25x1e9ZqxzJ2ThxMuieyhRt7iplcl5f6eYO04xtXWU4srKEDflq
mNYvyB6ht8G607TZK1fnDEcvhBVcQiximJ4cq5xwNr4aPmkcGBXDpye3pL2Rsl6W
tTLjCvTDkBJZlaqevs1fvGos4D9a1qiDbmUhC6r88B1vCflzeA==
-----END CERTIFICATE-----

output of (both in VM(10.0.0.50) and localhost the fedora computer)curl https://www.ben.com:

<h1>Test Page</h1>
<h1>IP is: 10.0.0.50</h1>

aka the HTML on the website.

Google chrome error output:

Your connection is not private
Attackers might be trying to steal your information from www.ben.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
To get Chrome’s highest level of security, turn on enhanced protection
This server could not prove that it is www.ben.com; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to www.ben.com (unsafe)
ben shalev
  • 87
  • 7
  • While you don't provide the details of the certificate I assume that you are missing subject alternative names - as Chrome requires. In this case it would be a duplicate of several questions on this site and I've marked it as such. If this is not the reason please provide the full details of the certificates and asks for a reopen. – Steffen Ullrich May 25 '21 at 16:46
  • @SteffenUllrich When ever i try to add subject alt names (www.ben.com) the key just fails. The guide if followed to create the certificate is [guide](https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-apache-for-centos-7) – ben shalev May 26 '21 at 07:23
  • I have no idea what you mean with *"the key just fails"*. But the guide you link to does not create certificates with SAN anyway. – Steffen Ullrich May 26 '21 at 09:37
  • When i create with SAN it says the key isn't authorized/incorrect. – ben shalev May 26 '21 at 09:42
  • I have no idea what you are doing and thus I have no idea what you are doing wrong. It might be useful to create a new question where you explain in enough detail for others to reproduce what you are doing, what you are expecting and what happens instead. – Steffen Ullrich May 26 '21 at 09:50
  • @SteffenUllrich updated the question with more information here: [other_forum](https://superuser.com/questions/1651672/created-self-signed-certificate-working-with-curl-but-not-with-chrome) Also updated it here. – ben shalev May 26 '21 at 09:56
  • OK, based on the added output I correctly guessed that the certificate did not contain SAN. Therefore closing it as duplicate was justified. – Steffen Ullrich May 26 '21 at 10:32

0 Answers0