为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

browser warning: potential security risk ahead - ssl_error_bad_cert_domain

more options

the situation: we publish an internal wiki website in our intranet. the delivering server provides a certificate issued by our own microsoft active directory pki (root-intermediate-servercert). firefox is configured by gpos in order to use windows cert store, where root and intermediate are installed. but nevertheless firefox drops an error message ssl_bad_cert_domain and i do not see why. in chrome or chromium based edge everything is fine. no ssl warnings. as you can see in the attached screenshot the cert includes various san fields for different host names, which includes two ip addresses (anonymized).

any advice what do to is mostly appreciated.

thanks a lot peter

the situation: we publish an internal wiki website in our intranet. the delivering server provides a certificate issued by our own microsoft active directory pki (root-intermediate-servercert). firefox is configured by gpos in order to use windows cert store, where root and intermediate are installed. but nevertheless firefox drops an error message ssl_bad_cert_domain and i do not see why. in chrome or chromium based edge everything is fine. no ssl warnings. as you can see in the attached screenshot the cert includes various san fields for different host names, which includes two ip addresses (anonymized). any advice what do to is mostly appreciated. thanks a lot peter
已附加屏幕截图

由El Viejo于修改

被采纳的解决方案

indeed, removing the ip addresses from both san fields (dns, ip) did the trick. i do not feel capable to call this a firefox bug but at least it should be brought to the attention of the developers. so i am going to file a bug report (given there is'nt one already).

ps: no need to escalate this as it has been subject of discussion here (and i have learned how to issue certs according the specs :-) so no ip addresses in dns fields). https://bugzilla.mozilla.org/show_bug.cgi?id=1148766

定位到答案原位置 👍 0

所有回复 (7)

more options
  • MOZILLA_PKIX_ERROR_MITM_DETECTED
  • uses an invalid security certificate SSL_ERROR_BAD_CERT_DOMAIN
  • configured their website improperly

How to troubleshoot the error code "SEC_ERROR_UNKNOWN_ISSUER" on secure websites https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER

more options

hello fredmcd, thanks for you quick reply. our ff users get only the ssl_error_bad_cert_domain and it can easily be resolved by setting a security exception but i do not want to do this for known reasons :-) as i mentioned in my first post our pki and the cert are set up the way it is supposed to work. chrome, edge and even good old (or better said bad old) ie do not drop a certificate warning. so my question is: where is the reason why firefox claims a bad domain name in the cert?

i do not want to post the public part of the cert because there is an internal ip address in two fields (dns, ip). could this be the reason for the error message?

more options

I don't know much about such issues and called for more help.

more options

There might be something Firefox doesn't like about the Subject Alt Names field.

For example, a few years ago we had a question where there were IP addresses mixed with regular host names in the field, which perhaps caused Firefox to read it incorrectly. That thread doesn't appear to have been resolved one way or the other:

https://support.mozilla.org/questions/1233865

more options

hello jscher2000, thanks for pointing me to the other thread. i am going to reissue the cert without ip addresses and test it.

more options

选择的解决方案

indeed, removing the ip addresses from both san fields (dns, ip) did the trick. i do not feel capable to call this a firefox bug but at least it should be brought to the attention of the developers. so i am going to file a bug report (given there is'nt one already).

ps: no need to escalate this as it has been subject of discussion here (and i have learned how to issue certs according the specs :-) so no ip addresses in dns fields). https://bugzilla.mozilla.org/show_bug.cgi?id=1148766

由El Viejo于修改

more options

Thank you for reporting back on that. I don't know why browsers disagree on such things.