英文:
ERR_CERT_COMMON_NAME_INVALID error for HTTPS subdomain despite wildcard subdomain certificate configuration
问题
我在访问HTTPS子域https://portainer.app/(或者一般的任何子域)时遇到了ERR_CERT_COMMON_NAME_INVALID错误,尽管证书已经配置为app和*.app的SAN。
TLDR:我为Docker创建了一个新的Debian服务器,主机名为app,IP为10.1.1.51。域中的每台计算机都可以正常看到主机名和IP(通过ping和nslookup检查)。在XCA中,我创建了Root CA、Intermediate CA和使用Intermediate CA签名的Servers端点证书。Root和Intermediate公钥已部署在网络中的所有设备上。服务器证书详细信息显示了许多SANs,包括:
...
DNS Name=terminal
DNS Name=*.terminal
DNS Name=app
DNS Name=*.app
DNS Name=localhost
IP Address=127.0.0.1
IP Address=10.1.1.50
IP Address=10.1.1.51
...
在app上,我创建了两个docker-compose.yml文件,分别用于nginx和portainer。Portainer docker-compose配置如下:
services:
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
restart: unless-stopped
ports:
- 9810:9443
- 8000:8000
volumes:
- ./data:/data
- ./ssl:/certs
- /var/run/docker.sock:/var/run/docker.sock.
command:
- --ssl
- --sslcert
- /certs/Servers-Public.crt
- --sslkey
- /certs/Servers-Private.pem
Portainer配置为在portainer.conf中使用nginx:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name portainer.app;
ssl_certificate /etc/ssl/certs/Servers-Public.crt;
ssl_certificate_key /etc/ssl/private/Servers-Private.pem;
location / {
proxy_pass https://10.1.1.51:9810/;
}
}
主要的app站点在default.conf中配置:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name app localhost 10.1.1.51;
ssl_certificate /etc/ssl/certs/Servers-Public.crt;
ssl_certificate_key /etc/ssl/private/Servers-Private.pem;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /portainer/ {
proxy_pass https://10.1.1.51:9810/;
proxy_set_header X-Forwarded-Prefix /portainer;
proxy_set_header Host $host;
}
}
在这两个文件中都有HTTP到HTTPS重定向(带有正确的server_name):
server {
listen 80;
listen [::]:80;
server_name portainer.app;
return 301 https://$host$request_uri;
}
在浏览https://app/后,Chrome显示正确的网页,证书有效,一切正常。而且,即使我浏览app/portainer或10.1.1.51/portainer,所有内容都在SSL上运行并且安全。
然而,一旦我输入任何子域(https://portainer.app或random.app),我会收到一个ERR_CERT_COMMON_NAME_INVALID错误。对于任何*.app,都是相同证书,对于app是有效的。
我已经做了以下操作:我已经检查了Nginx配置、docker-compose文件、DNS设置,一切都似乎正确。我尝试为所有原始域再次创建证书,但也尝试了仅包含2个CN的简单证书:portainer.app和**.portainer.app*... 它总是表现相同。
DNS正确解析为服务器的IP地址10.1.1.51,在浏览器中打开站点后,Nginx Docker日志中没有日志条目。我使用ESET杀毒软件,但当我直接在未安装ESET的服务器上尝试时,结果也相同。有关错误的任何想法吗?
英文:
I am experiencing an ERR_CERT_COMMON_NAME_INVALID error when accessing an HTTPS subdomain https://portainer.app/ (but in general any subdomain), even though the certificate has been configured for app and *.app SAN.
TLDR: I created new Debian server for docker with hostname app and IP 10.1.1.51. Every computer in domain see both hostname and ip without problems (checked with ping and nslookup). In XCA I created Root CA, Intermediate CA and Servers endpoint certificate signed with Intermediate CA. Root and Intermediate Public Keys are deployed on all devices in network. Servers Certificate detail showing many SANs, including:
...
DNS Name=terminal
DNS Name=*.terminal
DNS Name=app
DNS Name=*.app
DNS Name=localhost
IP Address=127.0.0.1
IP Address=10.1.1.50
IP Address=10.1.1.51
...
On app I created 2 docker-compose.yml for nginx and portainer. Portainer docker-compose:
services:
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
restart: unless-stopped
ports:
- 9810:9443
- 8000:8000
volumes:
- ./data:/data
- ./ssl:/certs
- /var/run/docker.sock:/var/run/docker.sock.
command:
- --ssl
- --sslcert
- /certs/Servers-Public.crt
- --sslkey
- /certs/Servers-Private.pem
Portainer is configured for nginx in portainer.conf like this:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name portainer.app;
ssl_certificate /etc/ssl/certs/Servers-Public.crt;
ssl_certificate_key /etc/ssl/private/Servers-Private.pem;
location / {
proxy_pass https://10.1.1.51:9810/;
}
}
Primary app site is configured in default.conf:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name app localhost 10.1.1.51;
ssl_certificate /etc/ssl/certs/Servers-Public.crt;
ssl_certificate_key /etc/ssl/private/Servers-Private.pem;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /portainer/ {
proxy_pass https://10.1.1.51:9810/;
proxy_set_header X-Forwarded-Prefix /portainer;
proxy_set_header Host $host;
}
}
There is http to https redirect in booth files (with correct server_name):
server {
listen 80;
listen [::]:80;
server_name portainer.app;
return 301 https://$host$request_uri;
}
After browse https://app/ Chrome shows correct webpage and that certificate is valid and everything is ok. Also, even if I browse app/portainer or 10.1.1.51/portainer everything works on ssl and secure.
However, as soon as I enter any subdomain (https://portainer.app or random.app) I get an error ERR_CERT_COMMON_NAME_INVALID. The same certificate which is valid for app is now invalid for any *.app.
I have already done this: I have checked the Nginx configuration, docker-compose files, DNS settings, and everything appears to be correct. I tried to make an certificate again for all original domains, but also a simpler certificate only for 2 CN: portainer.app and *.portainer.app... It always behaves the same way.
DNS correctly resolves to the server's IP address 10.1.1.51, and after open site in browser there are no log entry in the Nginx docker logs. I use ESET antivirus, but when I try it directly on a server where ESET is not installed, the result is the same there as well. Any idea where the error is?
答案1
得分: 1
通配符证书不应该颁发给涵盖由不同管理控制(即不同所有者)的域名。否则,一个所有者可能会使用自己的证书来冒充属于其他人的域名。
这意味着不能为*,也不能为*.com,同样也不能为*.co.uk(基本上是*.com的英国形式)。对于*.app或*.dev也是一样的。
总的来说 - 对于任何__公共__顶级域名都没有通配符。对于更低级别的内容,请参考公共后缀列表。
这些规则在验证证书时由浏览器强制执行。这意味着浏览器不仅依赖于证书颁发机构不颁发这种证书,还确保即使颁发了这种证书,它们也无法正常工作。浏览器外的证书验证通常没有这么严格。
另请参阅通配符SSL证书是否可以用于二级域名?。
英文:
A wildcard certificate should not be issued if it covers domains under different administrative control (i.e. different owners). Otherwise it would be possible that one owner could use its own certificate to impersonate domains which belong to somebody else.
This means it is not possible to have a wildcard for *, not for *.com but also not for *.co.uk (which basically is the UK form of *.com). The same as true for *.app or *.dev.
In general - there is no wildcard for any public top-level domain. For everything at a lower level consult the public suffix list.
These rules are enforced in the browser when validating a certificate. This means browsers don't only rely on certificate authorities to not issue such certificates, they also make sure that they don't work even if issued. Certificate validation outside of browser is often not that strict.
See also Can a wildcard SSL certificate be issued for a second level domain?.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论