0

I am trying to set up https server on python3, but I could not generate a certificate and a key properly.

That is the server code:

import http.server, ssl
server_address = ('localhost', 4443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,
                               server_side=True,
                               certfile='cert.pem',
                               keyfile='key.pem',
                               ssl_version=ssl.PROTOCOL_SSLv23)
httpd.serve_forever()

This is how I generate the certificate:

$ openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem

I set Common Name to mysite.com

Then I made a record in hosts file, so that I could resolve my host by name:

127.0.0.1 www.mysite.com
127.0.0.1 mysite.com

And import the certificate to the trusted root CA section in *.pem and *.crt formats

But chrome browser keeps showing an error

"ERR_CERT_COMMON_NAME_INVALID", "Subject Alternative Name missing"

Chrome certificate errors

Is there something I missed or misunderstood?

Andrey Smirnov
  • 1
  • 1

1 Answers1

2

Use SAN or a different browser.

The SubjectAlternativeName extension identified in the error dialog, abbreviated SAN and also called UCC = Unified Communication Certificate by Microsoft and some CAs, has been the officially preferred place to identify your server for about a decade, superseding the use of CommonName (CN) as done last century. A few months ago, Chrome (at version 58) began requiring SAN and rejecting CN-only; other browsers don't for now, but may well follow suit in the future.

Especially if you want to use one cert for both mysite.com and www.mysite.com definitely use SAN. SAN allows you to have one cert for both of these; CN does not. Even if you use a wildcard *.mysite.com in CN it matches www.mysite.com and multipedal.site.com but NOT site.com; there are numerous Qs on this issue (search for them).

See https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58 or https://serverfault.com/questions/880804/can-not-get-rid-of-neterr-cert-common-name-invalid-error-in-chrome-with-self

For more on the 'trick' of creating cert with SAN in OpenSSL without putting it in your config, see
Provide subjectAltName to openssl directly on command line
Followup to one-liner to create cert request with SAN

dave_thompson_085
  • 9,759
  • 1
  • 24
  • 28