Univention Bugzilla – Bug 53288
wildcard certificates must use X509v3 Subject Alternative Name instead of CN - rejected by Chrome (90.0.4430)
Last modified: 2022-06-08 16:50:27 CEST
Some apps use the univention-add-vhost functionality, which creates a wildcard certificate *.master.five.test for access to the apps webinterface via a subdomain, e.g. jitsi.master.five.test Seems that chrome is not happy about this certificate "This server could not prove that it is jitsi.master.five.test; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection." and marks this as unsafe
This doesn't work in Chrome/Chromium default setup and no workaround is known.
*** Bug 54626 has been marked as a duplicate of this bug. ***
Our wildcard certificate doesn't have a "X509v3 Subject Alternative Name" field. https://serverfault.com/questions/559537/wildcard-certificate-causes-warning-on-google-chrome-only
We're also affected by this <https://chat.univention.de/channel/gitlab-migration?msg=rMvDuxYMp77J7AKx7>: Chromium rejects the certificate, because it is wrong: `cn=*.gitpages.…` : the baseline requirements mandate the use of `subjectAltNames=`, but some™ browsers still implement the fallback to `cn`; but this is [deprecated since 2000](https://datatracker.ietf.org/doc/html/rfc2818#section-3.1) and Chrome based browsers (Chrome, Chromium, Edge, …) enforce this since 2017
OK: cd8c8c26e0b61cd9fe2f56dec200e73f7a07d517 OK: a2c237100b7f1569c2ca42e4bfb93d000f2c7730 OK: doc/errata/staging/univention-ssl.yaml OK: errata-announce -V --onyl univention-ssl.yaml OK: apt-get -t apt install univention-ssl OK: univention-certificate new -name 'bar.phahn.dev' -days 10 OK: univention-certificate new -name '*.phahn.dev' -days 10 OK: univention-certificate list
<https://errata.software-univention.de/#/?erratum=5.0x330>