This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Why does firefox give an ssl error indicating that the cert isn't valid for my site, when my site is listed in subjectAltName?

  • 2
  • 6
  • 1 view
  • Nzaghachi ikpeazụ nke linsam

more options

I have a CA which signed a cert for my (internal) web server. The CA is loaded into firefox and the web server's cert is validated by firefox when I browse to it using the CommonName in the cert.

However, if I use one of the subjectAltName names for the server, Firefox tells me that the certificate isn't valid for the site I'm browsing, then gives a list of valid sites, which includes the site I entered.

Firefox Version: 45.0 OS: Ubuntu 14.04 Error Message: Your connection is not secure [advanced] intranet.wmi.com uses an invalid security certificate. The certificate is only valid for the following names: cac2.wmi.com, cac2.wmi.com., cac2, intranet.wmi.com, intranet.wmi.com., intranet Error code: SSL_ERROR_BAD_CERT_DOMAIN

When I click on "SSL_ERROR_BAD_CERT_DOMAIN", the following text appears:


https://intranet.wmi.com/

Unable to communicate securely with peer: requested domain name does not match the server's certificate.

HTTP Strict Transport Security: false HTTP Public Key Pinning: false

Certificate chain:


BEGIN CERTIFICATE-----

MIIDnTCCAwagAwIBAgIBETANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCVVMx FTATBgNVBAgTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxMMV2VzdCBDaGVzdGVyMQ8w DQYDVQQKEwZDQUNXTUkxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEZ MBcGA1UEAxMQY2VydHMuY2Fjd21pLmNvbTEfMB0GCSqGSIb3DQEJARYQam9obm1A Y2FjZHNwLmNvbTAeFw0xNjA0MDQwNDU5NDlaFw0xNzA0MDkwNDU5NDlaMIGTMQsw CQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRUwEwYDVQQHEwxXZXN0 IENoZXN0ZXIxDDAKBgNVBAoTA1dNSTEQMA4GA1UECxMHV2Vic2l0ZTEVMBMGA1UE AxMMY2FjMi53bWkuY29tMR8wHQYJKoZIhvcNAQkBFhBqb2hubUBjYWNkc3AuY29t MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqbSJMCK4ALH1yio+0f1xJlaZn cgXz4TW4Lc29PbgP75BbCjo/UkyAHZk1UxuEfMvYXludKjXZy4HzIoxfjBo1twDm yecb8X3hi8pkPDenkntFx0GIw5G9028kRh6TmjTnytI68VMVbh53G0dcIa0rAveg UrK9i1YJ8oQtgOyEFwIDAQABo4HpMIHmMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSV9V2U TEAzCXmFfK43e0JQUXlqsTAfBgNVHSMEGDAWgBTXoC/0M5EPE2ovgLNGm8LpgOxJ jjALBgNVHQ8EBAMCBeAwXgYDVR0RAQH/BFQwUoIMY2FjMi53bWkuY29tgg1jYWMy LndtaS5jb20uggRjYWMyghBpbnRyYW5ldC53bWkuY29tghFpbnRyYW5ldC53bWku Y29tLoIIaW50cmFuZXQwDQYJKoZIhvcNAQELBQADgYEAXDRhnQaxnP1/dwSObt/K w9fUQv9BUsCFABYP+cePfqXikEHtzIB87/VFddz9ZKRQsfY3enpFTQrapq3NH3yj ZOtA6lGmY8kt5lEfuAO7LzUWbRNyS8T6VKpQuAs51BQvZQEgRGavxxzFsY7Y1Gnu qjFpcfvji63SdIKb7mlDzik=


END CERTIFICATE-----

Other info: I have tried marking subjectAltName critical and non-critical. The certificate above is the critical version. I have also tried all 6 alt names; only the one matching the CN works, the others fail with this error.

I have a CA which signed a cert for my (internal) web server. The CA is loaded into firefox and the web server's cert is validated by firefox when I browse to it using the CommonName in the cert. However, if I use one of the subjectAltName names for the server, Firefox tells me that the certificate isn't valid for the site I'm browsing, then gives a list of valid sites, which includes the site I entered. Firefox Version: 45.0 OS: Ubuntu 14.04 Error Message: Your connection is not secure [advanced] intranet.wmi.com uses an invalid security certificate. The certificate is only valid for the following names: cac2.wmi.com, cac2.wmi.com., cac2, intranet.wmi.com, intranet.wmi.com., intranet Error code: SSL_ERROR_BAD_CERT_DOMAIN When I click on "SSL_ERROR_BAD_CERT_DOMAIN", the following text appears: https://intranet.wmi.com/ Unable to communicate securely with peer: requested domain name does not match the server's certificate. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Certificate chain: -----BEGIN CERTIFICATE----- MIIDnTCCAwagAwIBAgIBETANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCVVMx FTATBgNVBAgTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxMMV2VzdCBDaGVzdGVyMQ8w DQYDVQQKEwZDQUNXTUkxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEZ MBcGA1UEAxMQY2VydHMuY2Fjd21pLmNvbTEfMB0GCSqGSIb3DQEJARYQam9obm1A Y2FjZHNwLmNvbTAeFw0xNjA0MDQwNDU5NDlaFw0xNzA0MDkwNDU5NDlaMIGTMQsw CQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRUwEwYDVQQHEwxXZXN0 IENoZXN0ZXIxDDAKBgNVBAoTA1dNSTEQMA4GA1UECxMHV2Vic2l0ZTEVMBMGA1UE AxMMY2FjMi53bWkuY29tMR8wHQYJKoZIhvcNAQkBFhBqb2hubUBjYWNkc3AuY29t MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqbSJMCK4ALH1yio+0f1xJlaZn cgXz4TW4Lc29PbgP75BbCjo/UkyAHZk1UxuEfMvYXludKjXZy4HzIoxfjBo1twDm yecb8X3hi8pkPDenkntFx0GIw5G9028kRh6TmjTnytI68VMVbh53G0dcIa0rAveg UrK9i1YJ8oQtgOyEFwIDAQABo4HpMIHmMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSV9V2U TEAzCXmFfK43e0JQUXlqsTAfBgNVHSMEGDAWgBTXoC/0M5EPE2ovgLNGm8LpgOxJ jjALBgNVHQ8EBAMCBeAwXgYDVR0RAQH/BFQwUoIMY2FjMi53bWkuY29tgg1jYWMy LndtaS5jb20uggRjYWMyghBpbnRyYW5ldC53bWkuY29tghFpbnRyYW5ldC53bWku Y29tLoIIaW50cmFuZXQwDQYJKoZIhvcNAQELBQADgYEAXDRhnQaxnP1/dwSObt/K w9fUQv9BUsCFABYP+cePfqXikEHtzIB87/VFddz9ZKRQsfY3enpFTQrapq3NH3yj ZOtA6lGmY8kt5lEfuAO7LzUWbRNyS8T6VKpQuAs51BQvZQEgRGavxxzFsY7Y1Gnu qjFpcfvji63SdIKb7mlDzik= -----END CERTIFICATE----- Other info: I have tried marking subjectAltName critical and non-critical. The certificate above is the critical version. I have also tried all 6 alt names; only the one matching the CN works, the others fail with this error.

All Replies (2)

more options

See this web page for contact information about Security (NSS) and Certificates.

more options

Hi cor-el, thank you for your reply. I didn't see contact info there, but your pointer led me to the NSS tools.

Using certutil, I verified that my CA is listed in my firefox profile's database. Then used tstclnt to try the 6 names in subjectAltName and one I created for testing that isn't. With tstclnt, all 6 work fine, I only receive a SSL_ERROR_BAD_CERT_DOMAIN for the unlisted name, which is expected.

To me this seems like the NSS libraries are working correctly, so somehow I must have hit a bad interaction between Firefox and libnss3.

I'm not sure what I can try next to debug this issue.