SSL_ERROR_BAD_CERT_DOMAIN but name is correct

6

1

Our admin created a new cert for our rt server. Since then, I get a SSL_ERROR_BAD_CERT_DOMAIN error in Firefox. However the site works from Chrome and curl.

The cert is signed by our internal CA (freeipa), for which I've installed the public cert on my machine. Other sites signed by our internal CA work correctly.

Here is the debug info from Firefox:

https://rt.lsd.co.za/

Unable to communicate securely with peer: requested domain name does not match the server’s certificate.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIDizCCAnOgAwIBAgICAK4wDQYJKoZIhvcNAQELBQAwNDESMBAGA1UEChMJTFNE
LkNPLlpBMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwMjAx
MDkxMDMxWhcNMTkwMjAyMDkxMDMxWjArMRIwEAYDVQQKEwlMU0QuQ08uWkExFTAT
BgNVBAMTDHJ0LmxzZC5jby56YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJdKUrTlEard+EeNNUC914CRMUWfQbDRq51KZo/8BRmLguKqkBoUuPqzHopy
v4/pN1i14uECfHuWu1Bw9aL20w1tmReFIBX6/oE9d0rFrt7+b3Fvri4PjGiuE6Ss
12Y8XAzlDSmUuIrRAdOn3Q6sZXKazxmBXnuR1uB0CGYxvArDrW544WNTPu0tFkkz
ZAnCQ++nnnTTgWqEVT/uOGucPrr3YBIPtcg5THJmO5PxQhBEwY/e55xFSNzGmuGI
7AOShUheJne0INW9YatFa9hTFhd+VWcpG/cogi5YS86LBQ1gulCn2UanGKePjUxD
NnEZsM/BXTZBvP0HtgBe1tas610CAwEAAaOBrzCBrDAfBgNVHSMEGDAWgBQlfxhn
0LE+dcgfqJCcZj2dGhzYgzA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0
dHA6Ly9kb24ubHNkLmNvLnphOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUJIYdQNTs9kan
MIHZ9r3VbK1fGbgwDQYJKoZIhvcNAQELBQADggEBABlmrBze/eIeb89IhwmnaycF
zNoXVIbzpZOy8qEvzBWqz85KN2YTGYqxLVku3dUxmJZh+XD4BHMT24hVKs28fqFx
zZEno0tJjXkOWadhTlHzDe5YPs+yVbWXb0xe65gLghwuTLH+PSXfj7dwMM9CVSM2
Ik0Ijcw8XXxcwnTu8V+7gHS97LP8rsYa/FvqBJikTVKrTo4FPpULYAiXYNSZcddb
KvujWAZFDViCBwebbKRZBuU3jJV9vSK7ZfLelRFf0HcUGyWJYkF8lmRlg994X8jf
FvwLfuUzeiSeVlidZXlrSOZihojBcLqC2PwutlQUVFccA+9gpnqBc50hlaPzb+I=
-----END CERTIFICATE-----

Version of Firefox is 51 running on Arch linux.

Here is the output from openssl s_client:

openssl s_client -connect rt.lsd.co.za:443 -servername rt.lsd.co.za
CONNECTED(00000003)
depth=1 O = LSD.CO.ZA, CN = Certificate Authority
verify return:1
depth=0 O = LSD.CO.ZA, CN = rt.lsd.co.za
verify return:1
---
Certificate chain
 0 s:/O=LSD.CO.ZA/CN=rt.lsd.co.za
   i:/O=LSD.CO.ZA/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDizCCAnOgAwIBAgICAK4wDQYJKoZIhvcNAQELBQAwNDESMBAGA1UEChMJTFNE
LkNPLlpBMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwMjAx
MDkxMDMxWhcNMTkwMjAyMDkxMDMxWjArMRIwEAYDVQQKEwlMU0QuQ08uWkExFTAT
BgNVBAMTDHJ0LmxzZC5jby56YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJdKUrTlEard+EeNNUC914CRMUWfQbDRq51KZo/8BRmLguKqkBoUuPqzHopy
v4/pN1i14uECfHuWu1Bw9aL20w1tmReFIBX6/oE9d0rFrt7+b3Fvri4PjGiuE6Ss
12Y8XAzlDSmUuIrRAdOn3Q6sZXKazxmBXnuR1uB0CGYxvArDrW544WNTPu0tFkkz
ZAnCQ++nnnTTgWqEVT/uOGucPrr3YBIPtcg5THJmO5PxQhBEwY/e55xFSNzGmuGI
7AOShUheJne0INW9YatFa9hTFhd+VWcpG/cogi5YS86LBQ1gulCn2UanGKePjUxD
NnEZsM/BXTZBvP0HtgBe1tas610CAwEAAaOBrzCBrDAfBgNVHSMEGDAWgBQlfxhn
0LE+dcgfqJCcZj2dGhzYgzA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0
dHA6Ly9kb24ubHNkLmNvLnphOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUJIYdQNTs9kan
MIHZ9r3VbK1fGbgwDQYJKoZIhvcNAQELBQADggEBABlmrBze/eIeb89IhwmnaycF
zNoXVIbzpZOy8qEvzBWqz85KN2YTGYqxLVku3dUxmJZh+XD4BHMT24hVKs28fqFx
zZEno0tJjXkOWadhTlHzDe5YPs+yVbWXb0xe65gLghwuTLH+PSXfj7dwMM9CVSM2
Ik0Ijcw8XXxcwnTu8V+7gHS97LP8rsYa/FvqBJikTVKrTo4FPpULYAiXYNSZcddb
KvujWAZFDViCBwebbKRZBuU3jJV9vSK7ZfLelRFf0HcUGyWJYkF8lmRlg994X8jf
FvwLfuUzeiSeVlidZXlrSOZihojBcLqC2PwutlQUVFccA+9gpnqBc50hlaPzb+I=
-----END CERTIFICATE-----
subject=/O=LSD.CO.ZA/CN=rt.lsd.co.za
issuer=/O=LSD.CO.ZA/CN=Certificate Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1622 bytes and written 454 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 04A8B44739CA7D3FE553734AF99193176A5A849784AE03DBD6C87ABA7FA5DACC
    Session-ID-ctx: 
    Master-Key: 153EF67A35CE63E1BA4317424B1A2ABFD17C26CCE2E78A3ED215979B383A0ABCF4D5BC035ABFC1F6BF11780AC1836FAC
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 28 83 96 6e ba 76 6f d6-58 dd 27 78 29 92 94 3d   (..n.vo.X.'x)..=
    0010 - 39 be 32 04 02 9a 8c 56-3f f9 49 c2 87 14 31 a5   9.2....V?.I...1.
    0020 - 74 ef ce 06 4c b8 99 fe-35 90 f1 07 29 0b 60 f7   t...L...5...).`.
    0030 - 51 b0 2d 78 5d 6a 7c 84-ca 4d 51 d0 d2 ae 9b 2e   Q.-x]j|..MQ.....
    0040 - 8f f5 79 8a ab c3 3c bb-66 fc 51 5c a3 10 ca 1f   ..y...<.f.Q\....
    0050 - f2 1d c5 59 4e 98 e4 9e-89 27 15 d0 89 86 e8 23   ...YN....'.....#
    0060 - 85 f5 78 f4 48 26 9f 96-f5 27 01 fc c2 e2 c5 c7   ..x.H&...'......
    0070 - 76 bf 35 f1 25 23 b9 fe-c5 93 30 1c 26 94 fa 81   v.5.%#....0.&...
    0080 - b8 5f d1 06 50 9e 98 85-54 08 7f e6 07 16 1c 20   ._..P...T...... 
    0090 - 96 1c 23 6c fb 21 0f 3c-f6 62 97 e5 81 63 71 95   ..#l.!.<.b...cq.
    00a0 - c9 15 49 72 c1 33 d5 db-96 de cc a2 65 4e d2 de   ..Ir.3......eN..
    00b0 - fb ce 73 25 3c 65 2d 7c-a8 60 68 93 fe e2 67 5c   ..s%<e-|.`h...g\
    00c0 - 78 59 72 43 4b ba e2 68-9f 69 1e 8a 11 40 25 2c   xYrCK..h.i...@%,

    Start Time: 1486113094
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I'm at a loss to try and figure out what is wrong. Any tips?

Public cert for our CA: 

-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKEwlMU0Qu
Q08uWkExHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMjEyMDYx
NDE1NTJaFw0yMDEyMDYxNDE1NTJaMDQxEjAQBgNVBAoTCUxTRC5DTy5aQTEeMBwG
A1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA3khFpt0gCbxomAx/MLRhdjWBjchbIqXDyPc8nLSNlHBJYhYy
HTdc6eyTf1j6jSY4jLwYH2brW7crZNgTwpW4SukjvF1tUK+ABwiAueZnMXIJR9fE
azigc4gQpMbfH9EXK514kmX1MkFncIAYbIOgBy2UGEFrkWVEFs64DP/0WiC2DxLV
mSiw+p8QX2qYVK57ROfJV98pf5B2nc8UvOaVLwU1LgYy7ydipH9q9ztU7CvHaNoO
Xow6zY0BlkNFH6b6sM9HwQzlPfIy7xDSefPD7t8MrzyFZ53Yy3M4ob+6JkxIz+iF
knidHAf/kBSSg6bM3F4e5DjLRFDiz3ens+TEiQIDAQABo4GhMIGeMB8GA1UdIwQY
MBaAFCV/GGfQsT51yB+okJxmPZ0aHNiDMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
AQH/BAQDAgHGMB0GA1UdDgQWBBQlfxhn0LE+dcgfqJCcZj2dGhzYgzA7BggrBgEF
BQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0dHA6Ly9kb24ubHNkLmNvLnphOjgwL2Nh
L29jc3AwDQYJKoZIhvcNAQELBQADggEBABgk6Zy8f7g1WD73g4DDjDTtDKtGlJcf
gsOhVgjmJks0riXCXsgsuxKFbH1Skro+v4DgrLSHQLgTxmZLywrfQvYYepxSU8V1
2O3WcbiNkN2txokv4LAiFUn5jdRAlKpUWw0413243mS2vblkXjKuPt4M6Yw1X7ZW
J/AYuZEDMtcfm5ZdxCkBSSFeAxOyGz14y+cNN+X7xPP0LugWaS9jz07Ao/BZkb4i
kgipkkS1v4gD75q5v18d2cwzpC9yF8p3797HfRWuaDqZ4v/Ym6XYa1N5UihmCt+x
5WBLufXj7gD+IY2cKaX4AKXQIqwH3PT9VxIjIhyV3Wuma4mUIvNYimw=
-----END CERTIFICATE-----

Gary van der Merwe

Posted 2017-02-03T09:25:23.983

Reputation: 541

1Because it is working using other clients, this looks like a Firefox-specific response. That makes this not a great question here. If you search "Firefox SSL_ERROR_BAD_CERT_DOMAIN" you'll see a lot of support hits and things to troubleshoot. – schroeder – 2017-02-03T09:32:08.550

1Have you checked whether the certificate is trusted by Firefox? Firefox comes with its own certificate store. See about:preferences#advanced. – Erwan Legrand – 2017-02-03T11:27:59.903

@ErwanLegrand: as mentioned in the question, the cert is signed by our companies internal CA, for which the public cert is installed in my systems trusted CA store. So yes. – Gary van der Merwe – 2017-02-03T13:00:26.390

1Unless this has changed recently, Firefox's certificate store is not the same as the system CA store. – Erwan Legrand – 2017-02-03T14:05:53.840

@ErwanLegrand Firefox will read the system CA store using p11-kit-trust. It has been like this for as long as I can remember. – Gary van der Merwe – 2017-02-03T14:12:26.033

@schroeder: So questions specifically about Firefox are bad? – Lightness Races with Monica – 2017-02-03T16:17:46.270

@LightnessRacesinOrbit bad? No, but when it's an internal functional error in a specific program, it's not a Sec.SE question. – schroeder – 2017-02-03T16:18:45.023

@schroeder: Didn't realise you'd commented while it was on Sec.SE. :) I'd probably still argue that Firefox's particular policy for SSL is very much a Sec.SE issue, but I'm not going to go down that route with any degree of seriousness. – Lightness Races with Monica – 2017-02-03T16:45:44.103

@LightnessRacesinOrbit the impacts to the effects of the error might be – schroeder – 2017-02-03T21:41:43.123

@GaryvanderMerwe The Mozilla wiki states that experimental support for loading certificates from the system store has been added in Firefox 49 (released September 20, 2016). This feature is disabled by default: https://wiki.mozilla.org/CA:AddRootToFirefox

– Erwan Legrand – 2017-02-05T16:02:58.397

Answers

18

Firefox has a new policy that certs issued after 2016-08-23 have to have a SubjectAltName field.

https://bugzilla.redhat.com/show_bug.cgi?id=1400293

https://bugzilla.mozilla.org/show_bug.cgi?id=1324096

Gary van der Merwe

Posted 2017-02-03T09:25:23.983

Reputation: 541

1Right. Using the subject's CN field to identify the server has been deprecated for a long time now. – Erwan Legrand – 2017-02-03T11:23:53.270

1Please quote the essential parts of the answer from the reference link(s), as the answer can become invalid if the linked page(s) change. – DavidPostill – 2017-02-04T23:30:13.333

2

With the helpful tool from Qualys SSL labs its not hard to understand that there are MANY issues with your host and its config. SSL Report: rt.lsd.co.za

Not only is the certificate supplied for a different domain (docker.lsd.co.za) its expired.

the Service still supports broken technologies like SSL, RC4, no Forward Secrecy.

I suggest you take a good look at your stack and upgrade your services.

LvB

Posted 2017-02-03T09:25:23.983

Reputation: 149

The server has multiple sites hosted, each site having it's own cert, using SNI. So the issue raised about the certificate supplied for a different domain (docker.lsd.co.za) is not an issue.

We are aware of the other issues with the ssl stack.

I actually used your tool, and unfortunately it did not detect what the actual problem. It would be cool if it could. – Gary van der Merwe – 2017-02-03T12:57:25.927

the fact that I can see such a poorly configured site means I would not put any effort into checking anything else until its fixed. BTW. your Cert is missing the altName. (X509v3 Subject Alternative Name) Firefox requires that (as does proper CA-management guidelines) – LvB – 2017-02-03T13:46:15.100

Yes - I know that now. See my answer above. It would be cool if your tool pointed this out. – Gary van der Merwe – 2017-02-03T13:50:39.727

it is not "my" tool, but Qualys, and it does not show the intended result due to configuration on your end. (e.a. it does not see the site you are referring to). a tool can only work with data it knows about and can retrieve. – LvB – 2017-02-03T13:53:05.953

Ok cool dude. Sorry, I thought the tool was yours. – Gary van der Merwe – 2017-02-03T13:58:12.187

" it does not show the intended result due to configuration on your end. (e.a. it does not see the site you are referring to). a tool can only work with data it knows about and can retrieve" ....making this not an answer to the given question. – Lightness Races with Monica – 2017-02-03T16:19:29.933

Asked: 2017-02-03T09:25:23.983

Viewed: 11 850 times

Active: 2017-02-03T10:51:18.147