SSL_ERROR_BAD_CERT_DOMAIN but name is correct

firefoxtls

Our admin created a new cert for our rt server. Since then, I get a SSL_ERROR_BAD_CERT_DOMAIN error in Firefox. However the site works from Chrome and curl.

The cert is signed by our internal CA (freeipa), for which I've installed the public cert on my machine. Other sites signed by our internal CA work correctly.

Here is the debug info from Firefox:

https://rt.lsd.co.za/

Unable to communicate securely with peer: requested domain name does not match the server’s certificate.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIDizCCAnOgAwIBAgICAK4wDQYJKoZIhvcNAQELBQAwNDESMBAGA1UEChMJTFNE
LkNPLlpBMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwMjAx
MDkxMDMxWhcNMTkwMjAyMDkxMDMxWjArMRIwEAYDVQQKEwlMU0QuQ08uWkExFTAT
BgNVBAMTDHJ0LmxzZC5jby56YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJdKUrTlEard+EeNNUC914CRMUWfQbDRq51KZo/8BRmLguKqkBoUuPqzHopy
v4/pN1i14uECfHuWu1Bw9aL20w1tmReFIBX6/oE9d0rFrt7+b3Fvri4PjGiuE6Ss
12Y8XAzlDSmUuIrRAdOn3Q6sZXKazxmBXnuR1uB0CGYxvArDrW544WNTPu0tFkkz
ZAnCQ++nnnTTgWqEVT/uOGucPrr3YBIPtcg5THJmO5PxQhBEwY/e55xFSNzGmuGI
7AOShUheJne0INW9YatFa9hTFhd+VWcpG/cogi5YS86LBQ1gulCn2UanGKePjUxD
NnEZsM/BXTZBvP0HtgBe1tas610CAwEAAaOBrzCBrDAfBgNVHSMEGDAWgBQlfxhn
0LE+dcgfqJCcZj2dGhzYgzA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0
dHA6Ly9kb24ubHNkLmNvLnphOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUJIYdQNTs9kan
MIHZ9r3VbK1fGbgwDQYJKoZIhvcNAQELBQADggEBABlmrBze/eIeb89IhwmnaycF
zNoXVIbzpZOy8qEvzBWqz85KN2YTGYqxLVku3dUxmJZh+XD4BHMT24hVKs28fqFx
zZEno0tJjXkOWadhTlHzDe5YPs+yVbWXb0xe65gLghwuTLH+PSXfj7dwMM9CVSM2
Ik0Ijcw8XXxcwnTu8V+7gHS97LP8rsYa/FvqBJikTVKrTo4FPpULYAiXYNSZcddb
KvujWAZFDViCBwebbKRZBuU3jJV9vSK7ZfLelRFf0HcUGyWJYkF8lmRlg994X8jf
FvwLfuUzeiSeVlidZXlrSOZihojBcLqC2PwutlQUVFccA+9gpnqBc50hlaPzb+I=
-----END CERTIFICATE-----

Version of Firefox is 51 running on Arch linux.

Here is the output from openssl s_client:

openssl s_client -connect rt.lsd.co.za:443 -servername rt.lsd.co.za
CONNECTED(00000003)
depth=1 O = LSD.CO.ZA, CN = Certificate Authority
verify return:1
depth=0 O = LSD.CO.ZA, CN = rt.lsd.co.za
verify return:1
---
Certificate chain
 0 s:/O=LSD.CO.ZA/CN=rt.lsd.co.za
   i:/O=LSD.CO.ZA/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDizCCAnOgAwIBAgICAK4wDQYJKoZIhvcNAQELBQAwNDESMBAGA1UEChMJTFNE
LkNPLlpBMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwMjAx
MDkxMDMxWhcNMTkwMjAyMDkxMDMxWjArMRIwEAYDVQQKEwlMU0QuQ08uWkExFTAT
BgNVBAMTDHJ0LmxzZC5jby56YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJdKUrTlEard+EeNNUC914CRMUWfQbDRq51KZo/8BRmLguKqkBoUuPqzHopy
v4/pN1i14uECfHuWu1Bw9aL20w1tmReFIBX6/oE9d0rFrt7+b3Fvri4PjGiuE6Ss
12Y8XAzlDSmUuIrRAdOn3Q6sZXKazxmBXnuR1uB0CGYxvArDrW544WNTPu0tFkkz
ZAnCQ++nnnTTgWqEVT/uOGucPrr3YBIPtcg5THJmO5PxQhBEwY/e55xFSNzGmuGI
7AOShUheJne0INW9YatFa9hTFhd+VWcpG/cogi5YS86LBQ1gulCn2UanGKePjUxD
NnEZsM/BXTZBvP0HtgBe1tas610CAwEAAaOBrzCBrDAfBgNVHSMEGDAWgBQlfxhn
0LE+dcgfqJCcZj2dGhzYgzA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0
dHA6Ly9kb24ubHNkLmNvLnphOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUJIYdQNTs9kan
MIHZ9r3VbK1fGbgwDQYJKoZIhvcNAQELBQADggEBABlmrBze/eIeb89IhwmnaycF
zNoXVIbzpZOy8qEvzBWqz85KN2YTGYqxLVku3dUxmJZh+XD4BHMT24hVKs28fqFx
zZEno0tJjXkOWadhTlHzDe5YPs+yVbWXb0xe65gLghwuTLH+PSXfj7dwMM9CVSM2
Ik0Ijcw8XXxcwnTu8V+7gHS97LP8rsYa/FvqBJikTVKrTo4FPpULYAiXYNSZcddb
KvujWAZFDViCBwebbKRZBuU3jJV9vSK7ZfLelRFf0HcUGyWJYkF8lmRlg994X8jf
FvwLfuUzeiSeVlidZXlrSOZihojBcLqC2PwutlQUVFccA+9gpnqBc50hlaPzb+I=
-----END CERTIFICATE-----
subject=/O=LSD.CO.ZA/CN=rt.lsd.co.za
issuer=/O=LSD.CO.ZA/CN=Certificate Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1622 bytes and written 454 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 04A8B44739CA7D3FE553734AF99193176A5A849784AE03DBD6C87ABA7FA5DACC
    Session-ID-ctx: 
    Master-Key: 153EF67A35CE63E1BA4317424B1A2ABFD17C26CCE2E78A3ED215979B383A0ABCF4D5BC035ABFC1F6BF11780AC1836FAC
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 28 83 96 6e ba 76 6f d6-58 dd 27 78 29 92 94 3d   (..n.vo.X.'x)..=
    0010 - 39 be 32 04 02 9a 8c 56-3f f9 49 c2 87 14 31 a5   9.2....V?.I...1.
    0020 - 74 ef ce 06 4c b8 99 fe-35 90 f1 07 29 0b 60 f7   t...L...5...).`.
    0030 - 51 b0 2d 78 5d 6a 7c 84-ca 4d 51 d0 d2 ae 9b 2e   Q.-x]j|..MQ.....
    0040 - 8f f5 79 8a ab c3 3c bb-66 fc 51 5c a3 10 ca 1f   ..y...<.f.Q\....
    0050 - f2 1d c5 59 4e 98 e4 9e-89 27 15 d0 89 86 e8 23   ...YN....'.....#
    0060 - 85 f5 78 f4 48 26 9f 96-f5 27 01 fc c2 e2 c5 c7   ..x.H&...'......
    0070 - 76 bf 35 f1 25 23 b9 fe-c5 93 30 1c 26 94 fa 81   v.5.%#....0.&...
    0080 - b8 5f d1 06 50 9e 98 85-54 08 7f e6 07 16 1c 20   ._..P...T...... 
    0090 - 96 1c 23 6c fb 21 0f 3c-f6 62 97 e5 81 63 71 95   ..#l.!.<.b...cq.
    00a0 - c9 15 49 72 c1 33 d5 db-96 de cc a2 65 4e d2 de   ..Ir.3......eN..
    00b0 - fb ce 73 25 3c 65 2d 7c-a8 60 68 93 fe e2 67 5c   ..s%<e-|.`h...g\
    00c0 - 78 59 72 43 4b ba e2 68-9f 69 1e 8a 11 40 25 2c   xYrCK..h.i...@%,

    Start Time: 1486113094
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I'm at a loss to try and figure out what is wrong. Any tips?

Public cert for our CA:

-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKEwlMU0Qu
Q08uWkExHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMjEyMDYx
NDE1NTJaFw0yMDEyMDYxNDE1NTJaMDQxEjAQBgNVBAoTCUxTRC5DTy5aQTEeMBwG
A1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA3khFpt0gCbxomAx/MLRhdjWBjchbIqXDyPc8nLSNlHBJYhYy
HTdc6eyTf1j6jSY4jLwYH2brW7crZNgTwpW4SukjvF1tUK+ABwiAueZnMXIJR9fE
azigc4gQpMbfH9EXK514kmX1MkFncIAYbIOgBy2UGEFrkWVEFs64DP/0WiC2DxLV
mSiw+p8QX2qYVK57ROfJV98pf5B2nc8UvOaVLwU1LgYy7ydipH9q9ztU7CvHaNoO
Xow6zY0BlkNFH6b6sM9HwQzlPfIy7xDSefPD7t8MrzyFZ53Yy3M4ob+6JkxIz+iF
knidHAf/kBSSg6bM3F4e5DjLRFDiz3ens+TEiQIDAQABo4GhMIGeMB8GA1UdIwQY
MBaAFCV/GGfQsT51yB+okJxmPZ0aHNiDMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
AQH/BAQDAgHGMB0GA1UdDgQWBBQlfxhn0LE+dcgfqJCcZj2dGhzYgzA7BggrBgEF
BQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0dHA6Ly9kb24ubHNkLmNvLnphOjgwL2Nh
L29jc3AwDQYJKoZIhvcNAQELBQADggEBABgk6Zy8f7g1WD73g4DDjDTtDKtGlJcf
gsOhVgjmJks0riXCXsgsuxKFbH1Skro+v4DgrLSHQLgTxmZLywrfQvYYepxSU8V1
2O3WcbiNkN2txokv4LAiFUn5jdRAlKpUWw0413243mS2vblkXjKuPt4M6Yw1X7ZW
J/AYuZEDMtcfm5ZdxCkBSSFeAxOyGz14y+cNN+X7xPP0LugWaS9jz07Ao/BZkb4i
kgipkkS1v4gD75q5v18d2cwzpC9yF8p3797HfRWuaDqZ4v/Ym6XYa1N5UihmCt+x
5WBLufXj7gD+IY2cKaX4AKXQIqwH3PT9VxIjIhyV3Wuma4mUIvNYimw=
-----END CERTIFICATE-----

Best Answer

  • Firefox has a new policy that certs issued after 2016-08-23 have to have a SubjectAltName field.

    https://bugzilla.redhat.com/show_bug.cgi?id=1400293

    https://bugzilla.mozilla.org/show_bug.cgi?id=1324096

  • Related Question