1

I have a certificate for a Synology NAS (Common Name: nas1.contoso.local) signed by a Windows 2016 CA server. Unfortunately, I am getting a NET::ERR_CERT_COMMON_NAME_INVALID error when I open the site (https://nas1.contoso.local) in Google Chrome. However, the URL is exactly the same as the certificate common name, so I'm not sure the issue would be?

The root certificate for the CA server is already trusted by my computer and there is a "This certificate is valid" message in the certificate details. I've also tried opening the site in Safari, and the certificate details has the error "nas1.contoso.local certificate name does not match input".

Common Name: nas1.contoso.local

Site URL (with the error): https://nas1.contoso.local

Certificate Expires: March 20, 2024 11:52:02AM PST

Encryption: 2056

I've also tried creating and using certificates for *.contoso.local, as well as another nas1.contoso.local certificate with an IP address SAN. The wildcard certificate failed the same way, but oddly enough, the direct IP address SAN worked without any certificate errors when going directly to the IP address (e.g. https://10.0.0.2), but going directly to nas1.contoso.local still threw an error.

I'm not sure what could be causing this problem? Any help would be appreciated.

Edit: Here's the output from echo | openssl s_client -connect nas1.contoso.local:443 | openssl x509 -text -noout (removed the modulus and exponent output)

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1e:00:00:00:4b:5f:ad:53:57:8f:69:f5:c1:00:00:00:00:00:4b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=contoso-WIN-T2A-CA
        Validity
            Not Before: Mar 21 18:52:02 2022 GMT
            Not After : Mar 20 18:52:02 2024 GMT
        Subject: C=US, ST=CA, O=contoso, OU=IT, CN=nas1.contoso.local/emailAddress=admin@contoso.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2: 
                ...W.e.b.S.e.r.v.e.r
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier: 
                66:2F:78:AC:17:69:25:8F:68:7A:BD:4B:CF:6A:C8:95:FE:8C:26:E1
            X509v3 Authority Key Identifier: 
                keyid:58:66:30:49:C8:5C:A2:9B:E9:BE:B5:DE:7C:7B:ED:F7:3E:8F:43:48

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://WIN-T2A/CertEnroll/contoso-WIN-T2A-CA.crl

            Authority Information Access: 
                CA Issuers - URI:ldap:///CN=contoso-WIN-T2A-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=contoso,DC=local?cACertificate?base?objectClass=certificationAuthority

    Signature Algorithm: sha256WithRSAEncryption
anonmily
  • 38
  • 1
  • 7
  • Post the output from `echo | openssl s_client -connect nas1.contoso.local:443 | openssl x509 -text -noout`. Run that command and post the output - edit your question and add the output. – Andrew Henle Mar 22 '22 at 19:41
  • @AndrewHenle Gotcha, made the edit with the output :) – anonmily Mar 22 '22 at 20:35
  • 1
    In short: common name is irrelevant. The certificate needs to have a matching subject alternative name but none is in the certificate. – Steffen Ullrich Mar 23 '22 at 06:37
  • 1
    @SteffenUllrich Thanks! That was it--had to add a SAN DNS option that matches (nas1.contoso.local) :) – anonmily Mar 24 '22 at 10:34

0 Answers0