24

I followed this answer to make https://localhost:3000/ work in Chrome & Mac. Today, it suddenly does not work anymore.

https://localhost:3000 gives Not Secure:

Subject Alternative Name Missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

I re-trusted this certificate by following the previous steps, which didn't help. Then I saw this answer, about remaking ssl keys.

So I made v3.ext:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost

Then,

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -sha256 -extfile v3.ext

However, it returns

unknown option -extfile
req [options] <infile >outfile
where options  are
 -inform arg    input format - DER or PEM
 -outform arg   output format - DER or PEM
 ... ...

Does anyone know what's wrong with my openssl command?

Otherwise, does anyone know how to fix this Subject Alternative Name Missing or NET::ERR_CERT_COMMON_NAME_INVALID error?

enter image description here

Edit 1: I tried to follow this answer and here is my example-com.conf:

[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName         = Country Name (2 letter code)
countryName_default     = US

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = NY

localityName            = Locality Name (eg, city)
localityName_default        = New York

organizationName         = Organization Name (eg, company)
organizationName_default    = Example, LLC

# Use a friendly name here because its presented to the user. The server's DNS
#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
#   by both IETF and CA/Browser Forums. If you place a DNS name here, then you
#   must include the DNS name in the SAN too (otherwise, Chrome and others that
#   strictly follow the CA/Browser Baseline Requirements will fail).
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = Example Company

emailAddress            = Email Address
emailAddress_default        = test@example.com

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]

subjectKeyIdentifier        = hash
authorityKeyIdentifier  = keyid,issuer

# You only need digitalSignature below. *If* you don't allow
#   RSA Key transport (i.e., you use ephemeral cipher suites), then
#   omit keyEncipherment because that's key transport.
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
# extendedKeyUsage  = serverAuth, clientAuth

# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]

subjectKeyIdentifier        = hash

basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
# extendedKeyUsage  = serverAuth, clientAuth

[ alternate_names ]

DNS.1       = localhost

# IPv4 localhost
IP.1       = 127.0.0.1

# IPv6 localhost
IP.2     = ::1

Then, I did

openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem

Reopen https://localhost:3000 in Chrome gives me

localhost uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Can anyone help?

Robert Houghton
  • 1,202
  • 16
  • 28
SoftTimur
  • 5,630
  • 38
  • 140
  • 292
  • I think http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/27931596#27931596 is what you're looking for; you'd use `-config` to pass in the file containing the configuration parameters. – EricLaw May 12 '17 at 17:26
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww May 12 '17 at 18:31
  • Please see my **Edit 1**, I have got a `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` error... – SoftTimur May 13 '17 at 15:41

2 Answers2

26

I suggest the following solution: create self-signed CA certificate and the web server certificate signed by this CA. When you install this small chain to your web server it will work with Chrome.

Create configuration file for your CA MyCompanyCA.cnf with contents (you can change it to your needs):

[ req ]
distinguished_name  = req_distinguished_name
x509_extensions     = root_ca

[ req_distinguished_name ]
countryName             = Country Name (2 letter code)
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name (full name)
localityName            = Locality Name (eg, city)
0.organizationName      = Organization Name (eg, company)
organizationalUnitName  = Organizational Unit Name (eg, section)
commonName              = Common Name (eg, fully qualified host name)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64

[ root_ca ]
basicConstraints            = critical, CA:true

Create the extensions configuration file MyCompanyLocalhost.ext for your web server certificate:

subjectAltName = @alt_names
extendedKeyUsage = serverAuth

[alt_names]
DNS.1   = localhost
DNS.2   = mypc.mycompany.com

Then execute the following commands:

openssl req -x509 -newkey rsa:2048 -out MyCompanyCA.cer -outform PEM -keyout MyCompanyCA.pvk -days 10000 -verbose -config MyCompanyCA.cnf -nodes -sha256 -subj "/CN=MyCompany CA"

openssl req -newkey rsa:2048 -keyout MyCompanyLocalhost.pvk -out MyCompanyLocalhost.req -subj /CN=localhost -sha256 -nodes
openssl x509 -req -CA MyCompanyCA.cer -CAkey MyCompanyCA.pvk -in MyCompanyLocalhost.req -out MyCompanyLocalhost.cer -days 10000 -extfile MyCompanyLocalhost.ext -sha256 -set_serial 0x1111

As result you will get MyCompanyCA.cer, MyCompanyLocalhost.cer and MyCompanyLocalhost.pvk files that you can install to the web server.

How to check that it works with Chrome before installing certificates to the web server. Execute the following command on your local PC to run web server simulator:

openssl s_server -accept 15000 -cert MyCompanyLocalhost.cer -key MyCompanyLocalhost.pvk -CAfile MyCompanyCA.cer -WWW

Then you can access this page at https://localhost:15000/ You will see an error that MyCompanyLocalhost.cer is not trusted, if you want to eliminate this error also - then install MyCompanyCA.cer to the certificate trusted list of your OS.

Oleg
  • 726
  • 5
  • 11
  • Wow, it works... thank you! For the record, after generating those files, I changed in my `www` to `var config = { key: fs.readFileSync('ssl/MyCompanyLocalhost.pvk'), cert: fs.readFileSync('ssl/MyCompanyLocalhost.cer') }`. Chrome first gave `ERR_CERT_AUTHORITY_INVALID` error, then I added that certificate to `login` by `Keychain Access`, it worked! – SoftTimur May 21 '17 at 05:20
  • Woahhh..I did as you suggested and it worked like a charm after I struggled for almost 5 hours!! – dsaket Sep 05 '17 at 11:47
  • Thanks for this! A couple hours wasted searching for an answer, but this did it! – bwoogie Oct 21 '17 at 16:04
  • Wish I could upvote this a million times, this is the only solution that worked for me – Mel Lota Nov 09 '17 at 14:33
  • I can confirm this works with the latest Chrome 65 on OSX. – petrosmm Apr 21 '18 at 22:57
  • on Windows use two slashes in these cases: (1) `-subj "/CN=MyCompany CA"`, (2) `-subj /CN=localhost`. So it'd be: (1) `-subj "//CN=MyCompany CA"`, and (2) `-subj //CN=localhost` – Dmitry Efimenko Sep 03 '18 at 03:59
  • I made this answer into something that is a little easier to copy-paste, and added an example of using it with a local web server https://gist.github.com/kylemcdonald/429a3ad34981d3ed6fc539f6166b578e – Kyle McDonald Mar 01 '19 at 19:57
  • 1
    This helped me when I encountered the issue "Subject Alternative Name Missing" regarding my previous certificate when using MAMP. For me, I just added the ff. on httpd-ssl.conf: myCompanyLocalhost.cer path to SSLCertificateFile, and myCompanyLocalhost.pvk after following the above instructions and then just restart MAMP. Worked like a charm! – JMags1632 Dec 06 '20 at 01:39
5

Thanks Oleg for nice solution. In my case, the URI is specified as an IP address rather than a hostname, finally, i get the solution from here.

I edit @Oleg's MyCompanyLocalhost.ext, from 

subjectAltName = @alt_names
extendedKeyUsage = serverAuth

[alt_names]
DNS.1   = localhost
DNS.2   = mypc.mycompany.com

to

subjectAltName = @alt_names
extendedKeyUsage = serverAuth

[alt_names]

DNS.1 = domain.com 
# IP address
IP.1 = 192.168.2.221
IP.2 = 127.0.0.1
wang yongxu
  • 51
  • 2
  • 4