I built a website some time ago with Flask. Now all of a sudden when I try to navigate there I get the following:
NET::ERR_CERT_COMMON_NAME_INVALID
Your connection is not private Attackers might be trying to steal your information from www.mysite.org (for example, passwords, messages, or credit cards). Learn more
Does anyone know what's going on?
The error means: The host name you use in the web browser does not match one of the names present in the subjectAlternativeName extension in the certificate.
If your server has multiple DNS entries you need to include all of them into the certificate to be able to use them with https. If you access the server using its IP address like https://10.1.2.3 then the IP address also have to present in the certificate (of course this only makes sense if you have a static IP address that never changes).
The certificate subject alternative name can be a domain name or IP address. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private. If the certificate is missing a subjectAlternativeName extension, users see a warning in the Security panel in Chrome DevTools that lets them know the subject alternative name is missing.
For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate. So, if you are missing the Subject Alternative Name in your certificate then you will experience the NET::ERR_CERT_COMMON_NAME_INVALID error.
In order to have a Subject Alternate Name (SAN) on an SSL certificate, you must first edit your OpenSSL configuration. On Ubuntu/Debian, that can be found at /etc/ssl/openssl.cnf Find the section of that file with the heading [ v3_ca ], you can add the line with your SAN there:
subjectAltName = www.example.com
IP: first. Example: subjectAltName = IP:192.168.0.1. –
Shoal You can solve this by regenerating your certificate and adding the URL you are using to navigate to your site. With openssl, for example, that could look like this:
openssl req -x509 -newkey rsa:4096 -keyout self-signed.key -out self-signed.crt \
-sha256 -days 36500 -nodes \
-subj "/C=US/ST=NY/O=OrgName/OU=SiteName/CN=example.com" \
-addext "subjectAltName = DNS:example.com"
One line:
openssl req -x509 -newkey rsa:4096 -keyout self-signed.key -out self-signed.crt -sha256 -days 36500 -nodes -subj "/C=US/ST=NY/O=OrgName/OU=SiteName/CN=example.com" -addext "subjectAltName = DNS:example.com"
I was asked to investigate the same error, but the cert looked correct. Turned out copy paste had been used during its creation and SAN entries all had a blank space after the names! So "web1 " did not match "web1".
Spotted after opening in Firefox where Advanced said "Only valid for the following names: web1 , web2 , web3" and I thought that comma usage is strange, viewed cert again and highlighted name to reveal the trailing space.
The solution to the problem is actually right there in the error. Remove the common name and place the host name in the alternative name csr, reissue the certificate and problem solved.
NET::ERR_CERT_COMMON_NAME_INVALID is basically saying "Don't use a Common Name"
The reference for this is RFC 2818: https://datatracker.ietf.org/doc/html/rfc2818
"If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead."
Got the error simply by forgetting to add the certificate in the client machine cetificate store, too. Chrome error message was that ERR_CERT_COMMON_NAME_INVALID.
(Previously the server and client were on the same machine so adding it for server had been enough. Error message in Mozilla was different which leaded to the origin of the error)
© 2022 - 2024 — McMap. All rights reserved.