Loading...
X

Error code: SSL_ERROR_BAD_CERT_DOMAIN for self-signed certificate (SOLVED)

Error code: SSL_ERROR_BAD_CERT_DOMAIN in Firefox

Let's look at how to fix the error “SSL_ERROR_BAD_CERT_DOMAIN” that occurs for a self-signed certificate.

Full text of the error:

Warning: Potential Security Risk Ahead

Firefox detected a potential security threat and did not continue to hackware.local. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

What can you do about it?

The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.

Learn more…

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for hackware.local.
 
Error code: SSL_ERROR_BAD_CERT_DOMAIN

This error can occur both when accessing a site on the Internet, and for a local site for which you created an SSL certificate, for example, to test HTTPS settings.

On the Internet, the most common cause of this error is a mismatch between the domain name for which the certificate was issued and the name you use to connect to the web server. To make it clearer, for example, you access a website by specifying the IP address in the browser line instead of the domain name. Or the domain name does not match the certificate – this can also happen for various reasons, for example, I have encountered such examples on virtual hostings, when a hoster's certificate is used for those sites that have not configured HTTPS, but are accessed via the HTTPS protocol.

Simply put, the error “SSL_ERROR_BAD_CERT_DOMAIN” is most likely not your headache (unless, of course, you are the owner of the problematic site).

How to fix “SSL_ERROR_BAD_CERT_DOMAIN” for a self-signed certificate

This note is dedicated to the error “SSL_ERROR_BAD_CERT_DOMAIN” that occurs on a local computer or server for which you generated a self-signed SSL certificate.

Note: in order for a self-signed certificate to be perceived by web browsers as signed by a trusted source, the certificate of the local Certification Authority (CA) must already be added to the trusted ones. However, if you encounter the error "SSL_ERROR_BAD_CERT_DOMAIN", most likely, the certificate of the local Certification Authority (CA) is already added to trusted ones, otherwise the error would be different.

So, you created a certificate specifying the domain name (host name) correctly, but the error “SSL_ERROR_BAD_CERT_DOMAIN” still occurs.

If you read the message carefully, it says something about a bad domain in the certificate.

That is, you might think that the domain name (host name) is specified with an error.

If you click on the message “View Certificate”, additional information will be shown, among them the field “Common Name”:

Common Name	hackware.local

You can compare the Common Name value with the entered domain name in the address bar of the site.

Web browsers use the host name from the Subject Alternative Name (subjectAltName)

But no matter how you double-check the Common Name (CN) and maybe even re-create the certificate without typos in the Common Name, none of this will help you. The fact is that the error message shows the wrong reason. Now web browsers compare the domain name in the address bar and the name of the domain for which the certificate is valid, taking it from the Subject Alternative Name field.

That is, even if you create a certificate with the correct Common Name (CN), it will still cause the error “SSL_ERROR_BAD_CERT_DOMAIN”.

To fix the error “SSL_ERROR_BAD_CERT_DOMAIN” create a certificate with the Subject Alternative Name extension. It's quite simple.

The Subject Alternative Name extension is added NOT during the creation of the certificate signing request, but during the signing of the certificate. That is, the generation of the private key and the certificate signing request are performed in the usual way.

Before creating a self-signed certificate, you need to create a file with the Subject Alternative Name (subjectAltName) settings. I chose extraoptions.ext as the file name, but you can choose any other.

Example file syntax (for the hackware.local domain):

subjectAltName = DNS:hackware.local

After DNS, you need to specify the host name. You can also specify a host name with wildcards. If there are several values, they are separated by commas:

subjectAltName = DNS:*.hackware.local, DNS:hackware.local

Then, at the stage of signing the certificate, you need to specify the -extfile option and then the name of the file where you saved the settings:

openssl x509 -req -in DOMAIN.NAME.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out DOMAIN.NAME.crt -days 500 -sha256 -extfile extraoptions.ext

Also see the details in the article: How to add Subject Alternative Name (subjectAltName) to a self-signed certificate

Now after creating a self-signed certificate, move it to the SSL certificates directory of the web server and restart the web server for the changes to take effect. In a web browser, it is recommended to use the Ctrl+F5 combination to reload the page to force a new version of the page to be loaded, without using the web browser cache.

That's it – the problem is solved! The connection is now marked as secure.


Leave Your Observation

Your email address will not be published. Required fields are marked *