Seguí esta respuesta para que https://localhost:3000/ funcione en Chrome y Mac. Hoy, de repente ya no funciona.

https://localhost:3000 da Not Secure:

Subject Alternative Name Missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Volví a confiar en este certificado siguiendo los pasos anteriores, que no ayudaron. Luego vi esta respuesta, sobre cómo rehacer las claves SSL.

Entonces hice v3.ext:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost

Entonces

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -sha256 -extfile v3.ext

Sin embargo, vuelve

unknown option -extfile
req [options] <infile >outfile
where options  are
 -inform arg    input format - DER or PEM
 -outform arg   output format - DER or PEM
 ... ...

¿Alguien sabe qué está mal con mi comando openssl?

De lo contrario, ¿alguien sabe cómo solucionar este error Subject Alternative Name Missing o NET::ERR_CERT_COMMON_NAME_INVALID?

enter image description here

Editar 1: intenté seguir esta respuesta y aquí está mi example-com.conf:

[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName         = Country Name (2 letter code)
countryName_default     = US

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = NY

localityName            = Locality Name (eg, city)
localityName_default        = New York

organizationName         = Organization Name (eg, company)
organizationName_default    = Example, LLC

# Use a friendly name here because its presented to the user. The server's DNS
#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
#   by both IETF and CA/Browser Forums. If you place a DNS name here, then you
#   must include the DNS name in the SAN too (otherwise, Chrome and others that
#   strictly follow the CA/Browser Baseline Requirements will fail).
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = Example Company

emailAddress            = Email Address
emailAddress_default        = test@example.com

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]

subjectKeyIdentifier        = hash
authorityKeyIdentifier  = keyid,issuer

# You only need digitalSignature below. *If* you don't allow
#   RSA Key transport (i.e., you use ephemeral cipher suites), then
#   omit keyEncipherment because that's key transport.
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
# extendedKeyUsage  = serverAuth, clientAuth

# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]

subjectKeyIdentifier        = hash

basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
# extendedKeyUsage  = serverAuth, clientAuth

[ alternate_names ]

DNS.1       = localhost

# IPv4 localhost
IP.1       = 127.0.0.1

# IPv6 localhost
IP.2     = ::1

Entonces lo hice

openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem

Volver a abrir https://localhost:3000 en Chrome me da

localhost uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

¿Alguien puede ayudar?

23
SoftTimur 12 may. 2017 a las 07:42

2 respuestas

La mejor respuesta

Sugiero la siguiente solución: crear un certificado de CA autofirmado y el certificado del servidor web firmado por esta CA. Cuando instales esta pequeña cadena en tu servidor web, funcionará con Chrome.

Cree un archivo de configuración para su CA MyCompanyCA.cnf con contenido (puede cambiarlo según sus necesidades):

[ req ]
distinguished_name  = req_distinguished_name
x509_extensions     = root_ca

[ req_distinguished_name ]
countryName             = Country Name (2 letter code)
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name (full name)
localityName            = Locality Name (eg, city)
0.organizationName      = Organization Name (eg, company)
organizationalUnitName  = Organizational Unit Name (eg, section)
commonName              = Common Name (eg, fully qualified host name)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64

[ root_ca ]
basicConstraints            = critical, CA:true

Cree el archivo de configuración de extensiones MyCompanyLocalhost.ext para su certificado de servidor web:

subjectAltName = @alt_names
extendedKeyUsage = serverAuth

[alt_names]
DNS.1   = localhost
DNS.2   = mypc.mycompany.com

Luego ejecute los siguientes comandos:

openssl req -x509 -newkey rsa:2048 -out MyCompanyCA.cer -outform PEM -keyout MyCompanyCA.pvk -days 10000 -verbose -config MyCompanyCA.cnf -nodes -sha256 -subj "/CN=MyCompany CA"

openssl req -newkey rsa:2048 -keyout MyCompanyLocalhost.pvk -out MyCompanyLocalhost.req -subj /CN=localhost -sha256 -nodes
openssl x509 -req -CA MyCompanyCA.cer -CAkey MyCompanyCA.pvk -in MyCompanyLocalhost.req -out MyCompanyLocalhost.cer -days 10000 -extfile MyCompanyLocalhost.ext -sha256 -set_serial 0x1111

Como resultado, obtendrá los archivos MyCompanyCA.cer, MyCompanyLocalhost.cer y MyCompanyLocalhost.pvk que puede instalar en el servidor web.

Cómo verificar que funciona con Chrome antes de instalar certificados en el servidor web. Ejecute el siguiente comando en su PC local para ejecutar el simulador de servidor web:

openssl s_server -accept 15000 -cert MyCompanyLocalhost.cer -key MyCompanyLocalhost.pvk -CAfile MyCompanyCA.cer -WWW

Luego puede acceder a esta página en https: // localhost: 15000 / Verá un error de que MyCompanyLocalhost.cer no es confiable, si también desea eliminar este error, instale MyCompanyCA.cer en la lista de certificados de confianza de su sistema operativo.

21
Oleg 18 may. 2017 a las 22:04

Gracias Oleg por una buena solución. En mi caso, el URI se especifica como una dirección IP en lugar de un nombre de host, finalmente, obtengo la solución de aquí.

Edito la MyCompanyLocalhost.ext de @ Oleg, desde

subjectAltName = @alt_names
extendedKeyUsage = serverAuth

[alt_names]
DNS.1   = localhost
DNS.2   = mypc.mycompany.com

Para

subjectAltName = @alt_names
extendedKeyUsage = serverAuth

[alt_names]

DNS.1 = domain.com 
# IP address
IP.1 = 192.168.2.221
IP.2 = 127.0.0.1
2
wang yongxu 5 mar. 2018 a las 09:18