Chrome certificate error - Subject Alternative Name missing

[johanjanssens]

Problem

Been working on HTTP caching testing and noticed that Chrome is behaving different when I test on staging and in in the box.

Diving deeper into this issue I found that if you have certificate errors Chrome caching is not working properly. See also:

- https://stackoverflow.com/a/17716958
- https://bugs.chromium.org/p/chromium/issues/detail?id=103875

I have my certificate installed in keychain on macosx but this isn't sufficient. (see screenshot). Chrome recognises the certificate as valid but is  giving two errors 

• Certificate: Subject Alternative Name missing
• Certificate: missing

The certificate provided by the box it's Common Name is not matching with my custom domain joomlatools.test, it's referring to localhost and the theSubject Alternative Name extension is also missing in the certificate.

From Chrome 58+ Chrome need requires the Common Name and the Subject Alternative Name to match with the FQDN; see: https://support.google.com/chrome/a/answer/9813310?hl=en

Issues

With an invalid certificate Chrome is not sending cache validation headers, eg if-modified-since or if-none-match header to server. See: If-None-Match

• https://stackoverflow.com/a/17716958
• https://bugs.chromium.org/p/chromium/issues/detail?id=103875
• https://stackoverflow.com/questions/43665243/invalid-self-signed-ssl-cert-subject-alternative-name-missing

Solution

To solve this problem I created a new certificate and configured joomlatools.testto use this.

Quick Fix

• https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/43666288#43666288
• https://stackoverflow.com/questions/6194236/openssl-certificate-version-3-with-subject-alternative-name
• https://www.andrewconnell.com/blog/updated-creating-and-trusting-self-signed-certs-on-macos-and-chrome/

In /etc/apache2/ssl

Step 1: Generate the RSA private key

> nano joomlatools.csr.cnf

[ req ]
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
commonName = joomlatools.test
countryName = BE
organizationName = Joomlatools
emailAddress = [email protected]

[ req_ext ]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=critical,serverAuth,clientAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.0 = *.joomlatools.test

Step 2:. Create the Certificate Request (CSR)

> nano joomlatools.crt.cnf

[ req ]
default_md = sha256
prompt = no

req_extensions = req_ext
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
commonName = joomlatools.test
countryName = BE
organizationName = Joomlatools
emailAddress = [email protected]

[ req_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer

keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=critical,serverAuth,clientAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.0 = *.joomlatools.test

> openssl req -new -nodes -config joomlatools.csr.cnf -out joomlatools.csr -keyout joomlatools.key

Step 3: Self-sign your CSR

> openssl req -x509 -nodes -in joomlatools.csr -days 3650 -key joomlatools.key -config joomlatools.crt.cnf -extensions req_ext -out joomlatools.crt

Step 4: Checked botht the CSR and CRT files

openssl req -noout -text -in joomlatools.csr
openssl x509 -in joomlatools.crt -text -noout

Step 5. Configured vhost to use this certificate

Step 6. Added the certificate to my keychain 

Permanent Fix

To resolve this automatically i think there are two options, either a new certificate is created when a vhost is added, or the existing certificate is re-signed by adjusting the alt_namesto include the new host. This can be done using a wildcard as I did in my solution.

Notes

This problem also happens for joomla.boxwhich is documented as the default domain to use when setting up the box.

Tools

• https://github.com/FiloSottile/mkcert
• https://mitmproxy.org/
• https://github.com/cloudflare/cfssl and https://blog.cloudflare.com/introducing-cfssl/