Nginx + OpenSSL = NET::ERR_CERT_COMMON_NAME_INVALID

quarku · December 28, 2019, 6:43pm

Hi There Community,

I have setup Nginx reverse proxy pretty much sucesfully but I have some issue with self-signed certificate. I get this error in webbrowser: NET::ERR_CERT_COMMON_NAME_INVALID

I have added my certificate to windows certlm

Any ideas?

Bruce_Osborne · December 28, 2019, 6:50pm

That error usually indicates the name on the certificate and the name of the server are different.

quarku · December 28, 2019, 11:09pm

Source of my problem is that - my certificate needs to contains subject alternative names to be able to work properly in modern webbrowser. Here is how I fix it

I’ve create new file called req.conf in /etc/ssl/

sudo touch /etc/ssl/req.conf

paste this inside (delete my remarks below with #…):

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = PL #country code
ST = Lower Silesia #state code
L = Wroclaw #city
O = openhab #system name from openhab (sudo openhabian-config > system setings > hostname - “openhab” in my case)
OU = openhab #as above
CN = openhab #as above
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = openhab #as above
DNS.2 = openhab #as above
DNS.3 = openhab #as above

then i use this file to create self signed cert in location which is already set up in nginx:

openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout openhab.pem -out openhab.pem -config req.conf -extensions ‘v3_req’

Then i copy my new certificate to html location just to reach it easaly

sudo cp openhab.crt /etc/openhab2/html

Copy pase it from above location to my desktop and install it as trusted main authority - as local computer not user.
You can check if it is present in this warehouse - cmd > certlm and press actions “find certificate”

Now clear casche from webbroweser and use proper address to be able to reach your openhab serwer - https://openhab in my example.

But - what I do not know - is how to do this with certian IP address to be able to see it as secure connection.

Bruce_Osborne · December 28, 2019, 11:23pm

Under [alt_names] add
IP.1= n.n.n.n

Where n.n.n.n is the ip address.

quarku · December 28, 2019, 11:40pm

Dosen’t work for me - I’ve tried

have it on ip2 thou - maybe on ip1 it will work - will try it tomorrow

Bruce_Osborne · December 28, 2019, 11:43pm

Anyway, this is off-topic for this openHAB forum.
Many other forums discuss SSL certificates and using openssl.

quarku · December 28, 2019, 11:47pm

moved