Ssl
無法擺脫帶有自簽名證書的 chrome 中的“net::ERR_CERT_COMMON_NAME_INVALID”錯誤
網路上有很多問題,人們難以設置自簽名證書以在內部網路上使用。
只是連結一些:
使用可在 Chrome 58 StartCom 證書中工作的 openssl 生成自簽名
證書錯誤:ERR_CERT_AUTHORITY_INVALID
我已經經歷了每一個,但仍然無法擺脫
(net::ERR_CERT_COMMON_NAME_INVALID).錯誤。後續步驟:
- 伺服器上的密鑰和證書生成
openssl req \ -newkey rsa:2048 \ -x509 \ -nodes \ -keyout file.key \ -new \ -out file.crt \ -subj /CN=Hostname \ -reqexts SAN \ -extensions SAN \ -config <(cat /etc/ssl/openssl.cnf \ <(printf '[SAN]\nsubjectAltName=DNS:192.168.0.1')) \ -sha256 \ -days 3650
設置伺服器程序 (apache) 以使用新生成的證書和密鑰文件進行安全連接
通過Chrome 開發工具導航到https://192.168.0.1:3122並使用導出選項,將證書文件從伺服器導出到客戶端
使用將 CA 添加到已知證書頒發機構列表(在 Fedora 26 上)
certutilsudo cp file.crt /etc/pki/ca-trust/source/anchors; sudo upate-ca-trust重新啟動鉻
我還嘗試了上述
CN欄位的各種值,例如:hostname,common.name.com,Common Name,192.168.0.1即使在這一切之後,當我導航到https://192.168.0.1:3122並且我不再知道自己在做什麼時,錯誤仍然存在。
文本表示類似於:
Certificate: Data: Version: 3 (0x2) Serial Number: 9e:ae:33:24:3a:2d:2b:e2 Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Hostname Validity Not Before: Oct 28 20:18:06 2017 GMT Not After : Oct 26 20:18:06 2027 GMT Subject: CN = Hostname Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a4:80:6c:3a:1b:5e:c4:e6:f6:7d:a5:be:d6:cd: d9:23:bd:1a:b1:e6:f1:e3:b0:76:47:37:a3:d8:b0: 60:44:23:c3:8a:58:1c:c3:0a:99:3d:42:32:ca:8b: ec:31:9d:a8:df:6c:13:43:e6:78:12:b8:24:04:5a: 9f:6e:11:24:2a:56:e3:20:36:78:a4:cc:ed:45:7c: a3:c1:36:7b:25:f6:6b:2d:01:59:02:74:8b:7a:13: ec:83:63:90:2e:a0:a3:aa:23:de:ea:f0:8e:1f:99: b9:50:b1:5f:64:e4:c9:91:c0:0c:56:15:3c:c0:ff: 0f:bf:e1:af:7a:bf:51:40:37:b0:34:20:95:a1:05: 14:k2:35:20:e8:98:48:65:ad:26:cc:de:a2:50:48: 77:8c:e2:7a:d5:bd:83:96:86:ef:20:79:2f:15:a3: 07:48:f4:1f:c7:9d:a1:4b:bd:ee:47:83:51:f3:09: 27:ed:b7:09:c8:56:40:0c:68:25:92:d8:62:dc:14: 6c:fa:f1:e3:93:1b:79:3c:58:9c:53:69:ff:6a:0f: ee:4c:9f:8e:22:2d:62:6b:b3:ae:22:d6:e3:d0:bd: 06:43:a7:c3:e1:1e:23:07:61:b0:4e:64:14:92:0c: 5b:f1:a8:c5:29:67:64:7d:65:10:b9:60:41:b8:3b: 1y:1f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:192.168.0.1 Signature Algorithm: sha256WithRSAEncryption 11:65:6d:86:04:7f:5a:b0:ce:b2:6e:95:7e:03:8c:fe:a9:d0: 81:2c:6f:50:63:2e:91:77:79:cd:27:32:b0:19:2b:ac:ea:c0: 4b:f7:56:d9:be:34:54:f1:a6:1d:bc:d0:3b:bb:bf:90:0e:2d: 1d:83:28:97:8e:f8:37:5d:3e:00:5a:cd:3d:36:5d:c4:5d:a8: 7e:a4:59:f0:91:3d:af:3d:28:03:3e:78:3b:5b:0a:fb:24:34: 02:a2:09:ec:d6:0c:58:63:ab:69:26:5e:fe:1d:1f:19:54:0f: 68:4e:31:f9:de:1e:de:86:81:3f:b7:62:c5:67:02:05:a2:7a: 03:f4:b5:3b:ba:c4:ba:26:8e:a2:ee:1c:ef:69:63:07:b0:97: fd:a8:42:e2:11:6d:de:b5:70:a5:4a:62:d2:62:d9:5b:17:f4: d5:cd:6f:71:75:dd:35:33:55:52:2e:30:29:f8:42:ec:b9:d3: 82:85:a1:e7:f6:f5:90:dd:cb:07:15:a7:44:70:1c:93:e6:ec: 03:3a:be:41:87:3c:f0:a4:88:a5:65:d9:29:2c:78:de:90:b8: 6a:8b:99:6e:d0:e5:8c:08:a4:71:51:fd:1d:e1:8c:0c:17:d5: b0:31:fc:7f:99:23:dd:1a:c4:0b:45:17:68:88:67:c6:22:df: 2b:ac:ea:c0請注意,這是我第一次為此目的設置 SSL/TLS 證書。請就如何擺脫錯誤提出建議。
Chrome 58+ 不再與
CN證書中的通用名稱 ( ) 匹配。現在它改用主題備用名稱 (
SAN)。
SAN必須包含正確的DNS或IP條目。
- 使用 DNS 時,它應該是可解析的 FQDN 名稱。
- 使用 IP 地址時,應在
SAN鏈中明確指定。也就是說,這應該有效:
openssl req \ -newkey rsa:2048 \ -x509 \ -nodes \ -keyout file.key \ -new \ -out file.crt \ -subj /CN=Hostname \ -reqexts SAN \ -extensions SAN \ -config <(cat /etc/ssl/openssl.cnf \ <(printf '[SAN]\nsubjectAltName=DNS:hostname,IP:192.168.0.1')) \ -sha256 \ -days 3650