主题备选名称Missing& ERR_SSL_VERSION_OR_CIPHER_MISMATCH [英] Subject Alternative Name Missing & ERR_SSL_VERSION_OR_CIPHER_MISMATCH
问题描述
我遵循
编辑1:我试着按照这个答案,这里是我的 example-com.conf :
[req]
default_bits = 2048
default_keyfile =服务器key.pem
distinguished_name =主题
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
#主题DN可使用X501或RFC 4514形成(有关说明,请参阅RFC 4519)。
#它是一种混搭。例如,RFC 4514不提供emailAddress。
[subject]
countryName =国家名称(2字母代码)
countryName_default =美元
$ b stateOrProvinceName =州或省名称(全名)
stateOrProvinceName_default = NY
localityName =地点名称(例如城市)
localityName_default =纽约
organizationName =组织名称(例如公司)
organizationName_default =例如,LLC
#在这里使用一个友好名称,因为它提供给用户。服务器的DNS
#名称放置在主题备用名称中。此外,此处的DNS名称已被IETF和CA /浏览器论坛弃用
#。如果您在此处放置DNS名称,则您的
#也必须在SAN中包含DNS名称(否则,严格遵循CA /浏览器基准要求的
#将会失败的Chrome和其他浏览器)。
commonName =通用名称(例如服务器FQDN或您的名字)
commonName_default =示例公司
emailAddress =电子邮件地址
emailAddress_default = test@example.com
#生成自签名证书时使用部分x509_ext。即,openssl req -x509 ...
[x509_ext]
subjectKeyIdentifier =散列
authorityKeyIdentifier = keyid,发行者
#您只需要digitalSignature 。 *如果*您不允许
#RSA密钥传输(即您使用短暂密码套件),则
#省略keyEncipherment,因为这是密钥传输。
basicConstraints = CA:FALSE
keyUsage = digitalSignature,keyEncipherment
subjectAltName = @alternate_names
nsComment =OpenSSL生成的证书
#RFC 5280,Section 4.2.1.12使EKU可选
#CA /浏览器基线要求,附录(B)(3)(G)让我感到困惑
#无论哪种情况,您可能只需要serverAuth。
#extendedKeyUsage = serverAuth,clientAuth
#在生成证书签名请求时使用部分req_ext。 Ie,openssl req ...
[req_ext]
subjectKeyIdentifier = hash
$ b basicConstraints = CA:FALSE
keyUsage = digitalSignature,keyEncipherment
subjectAltName = @alternate_names
nsComment =OpenSSL生成的证书
#RFC 5280,第4.2.1.12节使EKU可选
#CA /浏览器基线要求,附录(B) (3)(G)让我困惑
#在这两种情况下,你可能只需要serverAuth。
#extendedKeyUsage = serverAuth,clientAuth
[alternate_names]
DNS.1 = localhost
#IPv4 localhost
IP .1 = 127.0.0.1
#IPv6本地主机
IP.2 = :: 1
然后,我做了
openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem
在Chrome中重新打开 https:// localhost:3000 给我
localhost使用不受支持的协议。
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
任何人都可以帮忙吗?
我建议以下解决方案:创建自签名CA证书和由此CA签名的Web服务器证书。当您将这个小型连锁店安装到您的网络服务器时,它可以与Chrome兼容。
为您的CA MyCompanyCA.cnf创建包含内容的配置文件(您可以根据需要更改它):
[req]
distinguished_name = req_distinguished_name
x509_extensions = root_ca
[req_distinguished_name]
countryName =国家名称(2字母代码)
countryName_min = 2
countryName_max = 2
stateOrProvinceName =州或省名称(全名)
localityName =地点名称(例如,城市)
0.organizationName =组织名称(例如公司)
organizationUnitName =组织单位名称(例如,部分)
commonName =通用名称主机名)
commonName_max = 64
emailAddress =电子邮件地址
emailAddress_max = 64
[root_ca]
basicConstraints = critical,CA:tr ue
为您的Web服务器证书创建扩展配置文件MyCompanyLocalhost.ext:
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = localhost
DNS.2 = mypc.mycompany.com
然后执行以下命令:
openssl req -x509 -newkey rsa:2048 -out MyCompanyCA.cer -outform PEM -keyout MyCompanyCA.pvk -days 10000 -verbose -config MyCompanyCA.cnf -nodes -sha256 -subj / CN = MyCompany的CA
OpenSSL的REQ -newkey RSA:2048 -keyout MyCompanyLocalhost.pvk退房手续MyCompanyLocalhost.req -subj / CN =本地主机-sha256 - 节点
OpenSSL的X509 -req -CA MyCompanyCA.cer -CAkey MyCompanyCA.pvk -in MyCompanyLocalhost.req -out MyCompanyLocalhost.cer -days 10000 -extfile MyCompanyLocalhost.ext -sha256 -set_serial 0x1111
因此,您将获得MyCompanyCA.cer,MyCompanyLocalhost .cer和MyCompanyLocalhost.pvk文件,您可以将其安装到Web服务器。
在将证书安装到Web服务器之前,如何检查它是否适用于Chrome。在本地PC上执行以下命令以运行Web服务器模拟器:
openssl s_server -accept 15000 -cert MyCompanyLocalhost.cer -key MyCompanyLocalhost.pvk -CAfile MyCompanyCA.cer -WWW
然后您可以访问 https:// localhost:15000 /
如果您想消除MyCompanyLocalhost.cer不受信任的错误这个错误 - 然后将MyCompanyCA.cer安装到您的操作系统的证书可信列表。
I followed this answer to make https://localhost:3000/ work in Chrome & Mac. Today, it suddenly does not work anymore.
https://localhost:3000 gives Not Secure:
Subject Alternative Name Missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.
I re-trusted this certificate by following the previous steps, it did not help. Then, I saw this answer, I need to remake ssl keys.
I make v3.ext:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
Then,
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -sha256 -extfile v3.ext
However, it returns
unknown option -extfile
req [options] <infile >outfile
where options are
-inform arg input format - DER or PEM
-outform arg output format - DER or PEM
... ...
Does anyone know what's wrong with my openssl command?
Otherwise, does anyone know how to fix this Subject Alternative Name Missing or NET::ERR_CERT_COMMON_NAME_INVALID error?
Edit 1: I tried to follow this answer and here is my example-com.conf:
[ req ]
default_bits = 2048
default_keyfile = server-key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
# Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = NY
localityName = Locality Name (eg, city)
localityName_default = New York
organizationName = Organization Name (eg, company)
organizationName_default = Example, LLC
# Use a friendly name here because its presented to the user. The server's DNS
# names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
# by both IETF and CA/Browser Forums. If you place a DNS name here, then you
# must include the DNS name in the SAN too (otherwise, Chrome and others that
# strictly follow the CA/Browser Baseline Requirements will fail).
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Example Company
emailAddress = Email Address
emailAddress_default = test@example.com
# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
# You only need digitalSignature below. *If* you don't allow
# RSA Key transport (i.e., you use ephemeral cipher suites), then
# omit keyEncipherment because that's key transport.
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
# extendedKeyUsage = serverAuth, clientAuth
# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
# extendedKeyUsage = serverAuth, clientAuth
[ alternate_names ]
DNS.1 = localhost
# IPv4 localhost
IP.1 = 127.0.0.1
# IPv6 localhost
IP.2 = ::1
Then, I did
openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem
Reopen https://localhost:3000 in Chrome gives me
localhost uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Could anyone help?
I suggest the following solution: create self-signed CA certificate and the web server certificate signed by this CA. When you install this small chain to your web server it will work with Chrome.
Create configuration file for your CA MyCompanyCA.cnf with contents (you can change it to your needs):
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = root_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, fully qualified host name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ root_ca ]
basicConstraints = critical, CA:true
Create the extensions configuration file MyCompanyLocalhost.ext for your web server certificate:
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = localhost
DNS.2 = mypc.mycompany.com
Then execute the following commands:
openssl req -x509 -newkey rsa:2048 -out MyCompanyCA.cer -outform PEM -keyout MyCompanyCA.pvk -days 10000 -verbose -config MyCompanyCA.cnf -nodes -sha256 -subj "/CN=MyCompany CA"
openssl req -newkey rsa:2048 -keyout MyCompanyLocalhost.pvk -out MyCompanyLocalhost.req -subj /CN=localhost -sha256 -nodes
openssl x509 -req -CA MyCompanyCA.cer -CAkey MyCompanyCA.pvk -in MyCompanyLocalhost.req -out MyCompanyLocalhost.cer -days 10000 -extfile MyCompanyLocalhost.ext -sha256 -set_serial 0x1111
As result you will get MyCompanyCA.cer, MyCompanyLocalhost.cer and MyCompanyLocalhost.pvk files that you can install to the web server.
How to check that it works with Chrome before installing certificates to the web server. Execute the following command on your local PC to run web server simulator:
openssl s_server -accept 15000 -cert MyCompanyLocalhost.cer -key MyCompanyLocalhost.pvk -CAfile MyCompanyCA.cer -WWW
Then you can access this page at https://localhost:15000/ You will see an error that MyCompanyLocalhost.cer is not trusted, if you want to eliminate this error also - then install MyCompanyCA.cer to the certificate trusted list of your OS.
这篇关于主题备选名称Missing& ERR_SSL_VERSION_OR_CIPHER_MISMATCH的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
