The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address?

Question

I have generated a self signed certificate using openSSL following commands in my ubuntu based pc.

openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -pubkey -days 365  -subj "/C=NZ/ST=LH/O=SoN, Inc./CN=10.16.1.96" -reqexts Canada -config <(cat /etc/ssl/openssl.cnf <(printf "[Wellington]\nsubjectAltName=DNS:10.16.1.96,DNS:10.16.1.96"))

Next, I have copied the private key and cert.pem in the raspberrypi(10.16.1.96) which is running a webserver and using these keys.

Also, I have added the cert.pem in my chrome browser - Manage Certificates/Authorities, I have imported this certificate.

However, my browser complains about this -

Subject Alternative Name missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Certificate error
There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).

How can I get rid of this error?

score 2 · Accepted Answer · answered Mar 22 '18 at 12:17

At the end of your command, you're providing subject alternative names like this: subjectAltName=DNS:10.16.1.96,DNS:10.16.1.96".

The problem is that you're using SANs of type dNSName (DNS: in the OpenSSL configuration), but you're using IP addresses, so you you need SANs of type iPAddress in this case (see this answer more details about the specifications).

Changing your command to use subjectAltName=IP:10.16.1.96,IP:10.16.1.96" should fix it.

The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address?

1 Answers1