主题替代名称缺失和ERR_SSL_VERSION_OR_CIPHER_MISMATCH [英] Subject Alternative Name Missing & ERR_SSL_VERSION_OR_CIPHER_MISMATCH
问题描述
我按照
编辑 1: 我尝试关注 这个答案,这是我的 example-com.conf
:
[req]默认位 = 2048default_keyfile = server-key.pem杰出名称 = 主题req_extensions = req_extx509_extensions = x509_extstring_mask = utf8only# 主题 DN 可以使用 X501 或 RFC 4514 形成(有关说明,请参见 RFC 4519).# 它是一种混搭.例如,RFC 4514 不提供 emailAddress.[ 主题 ]countryName = 国家名称(2 个字母代码)countryName_default = 美国stateOrProvinceName = 州或省名称(全名)stateOrProvinceName_default = 纽约localityName = 地区名称(例如,城市)localityName_default = 纽约organizationName = 组织名称(例如,公司)organizationName_default = 例如,LLC# 在这里使用友好的名称,因为它呈现给用户.服务器的 DNS# 名称放置在主题备用名称中.另外,这里的 DNS 名称已被弃用# 来自 IETF 和 CA/浏览器论坛.如果您在此处放置 DNS 名称,那么您# 也必须在 SAN 中包含 DNS 名称(否则,Chrome 和其他# 严格遵守 CA/浏览器基线要求将失败).commonName = 通用名称(例如服务器 FQDN 或您的姓名)commonName_default = 示例公司emailAddress = 电子邮件地址emailAddress_default = test@example.com# Section x509_ext 用于生成自签名证书.即,openssl req -x509 ...[ x509_ext ]subjectKeyIdentifier = 哈希authorityKeyIdentifier = keyid,颁发者# 你只需要下面的数字签名.*如果*你不允许# RSA 密钥传输(即,您使用临时密码套件),然后# 省略 keyEncipherment 因为那是密钥传输.基本约束 = CA:FALSEkeyUsage = 数字签名,keyEncipherment主题AltName = @alternate_namesnsComment = "OpenSSL 生成的证书"# RFC 5280,第 4.2.1.12 节使 EKU 可选# CA/浏览器基线要求,附录 (B)(3)(G) 让我很困惑# 无论哪种情况,您可能只需要 serverAuth.#extendedKeyUsage = serverAuth, clientAuth# 生成证书签名请求时使用部分 req_ext.即,openssl req ...[ req_ext ]subjectKeyIdentifier = 哈希基本约束 = CA:FALSEkeyUsage = 数字签名,keyEncipherment主题AltName = @alternate_namesnsComment = "OpenSSL 生成的证书"# RFC 5280,第 4.2.1.12 节使 EKU 可选# CA/浏览器基线要求,附录 (B)(3)(G) 让我很困惑# 无论哪种情况,您可能只需要 serverAuth.#extendedKeyUsage = serverAuth, clientAuth[备用名称]DNS.1 = 本地主机# IPv4 本地主机IP.1 = 127.0.0.1# IPv6 本地主机IP.2 = ::1
然后,我做到了
openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem
在 Chrome 中重新打开 https://localhost:3000
给我
localhost 使用不受支持的协议.ERR_SSL_VERSION_OR_CIPHER_MISMATCH
谁能帮忙?
我建议以下解决方案:创建自签名CA证书和由该CA签名的Web服务器证书.当您将这个小链安装到您的网络服务器时,它将与 Chrome 一起使用.
使用内容为您的 CA MyCompanyCA.cnf 创建配置文件(您可以根据需要进行更改):
[req]区分名 = req_distinguished_namex509_extensions = root_ca[ req_distinguished_name ]countryName = 国家名称(2 个字母代码)countryName_min = 2countryName_max = 2stateOrProvinceName = 州或省名称(全名)localityName = 地区名称(例如,城市)0.organizationName = 组织名称(例如,公司)组织单位名称 = 组织单位名称(例如,部分)commonName = Common Name(例如,完全限定的主机名)commonName_max = 64emailAddress = 电子邮件地址emailAddress_max = 64[根_ca]basicConstraints = 关键,CA:true
为您的 Web 服务器证书创建扩展配置文件 MyCompanyLocalhost.ext:
subjectAltName = @alt_namesextendedKeyUsage = serverAuth[替代名称]DNS.1 = 本地主机DNS.2 = mypc.mycompany.com
然后执行以下命令:
openssl req -x509 -newkey rsa:2048 -out MyCompanyCA.cer -outform PEM -keyout MyCompanyCA.pvk -days 10000 -verbose -config MyCompanyCA.cnf -nodes -sha256 -subj "/CN=MyCompany CA"openssl req -newkey rsa:2048 -keyout MyCompanyLocalhost.pvk -out MyCompanyLocalhost.req -subj/CN=localhost -sha256 -nodesopenssl x509 -req -CA MyCompanyCA.cer -CAkey MyCompanyCA.pvk -in MyCompanyLocalhost.req -out MyCompanyLocalhost.cer -days 10000 -extfile MyCompanyLocalhost.ext -sha256 -set_serial 0x1111
因此,您将获得可安装到 Web 服务器的 MyCompanyCA.cer、MyCompanyLocalhost.cer 和 MyCompanyLocalhost.pvk 文件.
在将证书安装到网络服务器之前,如何检查它是否适用于 Chrome.在本地 PC 上执行以下命令运行 Web 服务器模拟器:
openssl s_server -accept 15000 -cert MyCompanyLocalhost.cer -key MyCompanyLocalhost.pvk -CAfile MyCompanyCA.cer -WWW
然后您可以通过 https://localhost:15000/ 访问此页面如果您还想消除此错误,您将看到 MyCompanyLocalhost.cer 不受信任的错误 - 然后将 MyCompanyCA.cer 安装到操作系统的证书受信任列表中.
I followed this answer to make https://localhost:3000/
work in Chrome & Mac. Today, it suddenly does not work anymore.
https://localhost:3000
gives Not Secure
:
Subject Alternative Name Missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.
I re-trusted this certificate by following the previous steps, which didn't help. Then I saw this answer, about remaking ssl keys.
So I made v3.ext
:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
Then,
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -sha256 -extfile v3.ext
However, it returns
unknown option -extfile
req [options] <infile >outfile
where options are
-inform arg input format - DER or PEM
-outform arg output format - DER or PEM
... ...
Does anyone know what's wrong with my openssl
command?
Otherwise, does anyone know how to fix this Subject Alternative Name Missing
or NET::ERR_CERT_COMMON_NAME_INVALID
error?
Edit 1: I tried to follow this answer and here is my example-com.conf
:
[ req ]
default_bits = 2048
default_keyfile = server-key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
# Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = NY
localityName = Locality Name (eg, city)
localityName_default = New York
organizationName = Organization Name (eg, company)
organizationName_default = Example, LLC
# Use a friendly name here because its presented to the user. The server's DNS
# names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
# by both IETF and CA/Browser Forums. If you place a DNS name here, then you
# must include the DNS name in the SAN too (otherwise, Chrome and others that
# strictly follow the CA/Browser Baseline Requirements will fail).
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Example Company
emailAddress = Email Address
emailAddress_default = test@example.com
# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
# You only need digitalSignature below. *If* you don't allow
# RSA Key transport (i.e., you use ephemeral cipher suites), then
# omit keyEncipherment because that's key transport.
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
# extendedKeyUsage = serverAuth, clientAuth
# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
# extendedKeyUsage = serverAuth, clientAuth
[ alternate_names ]
DNS.1 = localhost
# IPv4 localhost
IP.1 = 127.0.0.1
# IPv6 localhost
IP.2 = ::1
Then, I did
openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem
Reopen https://localhost:3000
in Chrome gives me
localhost uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Can anyone help?
I suggest the following solution: create self-signed CA certificate and the web server certificate signed by this CA. When you install this small chain to your web server it will work with Chrome.
Create configuration file for your CA MyCompanyCA.cnf with contents (you can change it to your needs):
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = root_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, fully qualified host name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ root_ca ]
basicConstraints = critical, CA:true
Create the extensions configuration file MyCompanyLocalhost.ext for your web server certificate:
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = localhost
DNS.2 = mypc.mycompany.com
Then execute the following commands:
openssl req -x509 -newkey rsa:2048 -out MyCompanyCA.cer -outform PEM -keyout MyCompanyCA.pvk -days 10000 -verbose -config MyCompanyCA.cnf -nodes -sha256 -subj "/CN=MyCompany CA"
openssl req -newkey rsa:2048 -keyout MyCompanyLocalhost.pvk -out MyCompanyLocalhost.req -subj /CN=localhost -sha256 -nodes
openssl x509 -req -CA MyCompanyCA.cer -CAkey MyCompanyCA.pvk -in MyCompanyLocalhost.req -out MyCompanyLocalhost.cer -days 10000 -extfile MyCompanyLocalhost.ext -sha256 -set_serial 0x1111
As result you will get MyCompanyCA.cer, MyCompanyLocalhost.cer and MyCompanyLocalhost.pvk files that you can install to the web server.
How to check that it works with Chrome before installing certificates to the web server. Execute the following command on your local PC to run web server simulator:
openssl s_server -accept 15000 -cert MyCompanyLocalhost.cer -key MyCompanyLocalhost.pvk -CAfile MyCompanyCA.cer -WWW
Then you can access this page at https://localhost:15000/ You will see an error that MyCompanyLocalhost.cer is not trusted, if you want to eliminate this error also - then install MyCompanyCA.cer to the certificate trusted list of your OS.
这篇关于主题替代名称缺失和ERR_SSL_VERSION_OR_CIPHER_MISMATCH的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!