Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reorder SAN for firefox trust #42

Merged
merged 2 commits into from
Nov 22, 2019
Merged

Reorder SAN for firefox trust #42

merged 2 commits into from
Nov 22, 2019

Conversation

Js-Brecht
Copy link
Contributor

Getting error SSL_ERROR_BAD_CERT_DOMAIN in Firefox on Windows.

For whatever reason, if the wildcard domain is the first domain in the list, Firefox will generate the error, even though the necessary host is, in fact, in the list. Putting the domain that matches the CN first seems to work, and Firefox trusts the certificate. 🤷‍♂

@Js-Brecht Js-Brecht mentioned this pull request Oct 16, 2019
Merged
3 tasks
@zetlen
Copy link
Collaborator

zetlen commented Nov 21, 2019

Oddly, it was this one I wasn't able to reproduce. Firefox seemed to trust domains the SANs in that order for me. This is on Windows 10 Home, from an image I got from here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

image

Can you give me a repro with versions?

@Js-Brecht
Copy link
Contributor Author

Yeah, this one was pretty bizarre. I encountered it when working on getting Node to trust the CA certificate. I could get it working for everything but Firefox, and I toyed with a thousand different things. Ultimately, this was the minimal number of changes I had to make to get it to work.

I'm currently running Windows 10 Pro x64, build 18362.449.
I have Firefox version 70.0.1 x64.

This is what I get (running Firefox & Chrome side by side, Chrome is on the right)
image

This is using the feature update (for returning the CA Path) and the default Gatsby starter. Let me put together a minimal reproduction, though. I'll post back when it's ready.

@Js-Brecht
Copy link
Contributor Author

Js-Brecht commented Nov 21, 2019
edited
Loading

Check out https://github.com/Js-Brecht/firefox-cert-trust-issue

The directory .certs is what was generated by devcert in my local app data, in case you wanted to see what was generated on my computer. I used version 1.0.2, with the same results.

@Js-Brecht
Copy link
Contributor Author

Js-Brecht commented Nov 21, 2019
edited
Loading

Check out the error it gives me. It's so strange to me that it says it's a bad domain...

The certificate is only valid for the following names: *.localhost, localhost

yet you'll notice that I am at localhost 🤣

@zetlen
Copy link
Collaborator

zetlen commented Nov 21, 2019

It's possibly only reproducible if it's a starred cert on a top level domain, like *.localhost. I'll try that one later.

@Js-Brecht
Copy link
Contributor Author

I didn't think to check to see if a subdomain would work with the SAN reordered (wildcard last). I'll check that out to see if it causes any problems

@Js-Brecht
Copy link
Contributor Author

Okay, just verified that reordering the SAN doesn't cause any issues for subdomains.

@zetlen
Copy link
Collaborator

zetlen commented Nov 22, 2019

Still can't reproduce it, but I also can't find any regressions from this change, so I'm gonna merge it.

@zetlen zetlen merged commit b3cd0b7 into davewasmer:master Nov 22, 2019
zetlen added a commit that referenced this pull request Nov 22, 2019
@zetlen
Revert "Reorder SAN for firefox trust (#42)"
45b9413 
This reverts commit b3cd0b7.
@Js-Brecht Js-Brecht deleted the firefox-cert-trust branch November 22, 2019 20:38
alias-mac pushed a commit to alias-mac/devcert that referenced this pull request Feb 8, 2024
@dependabot
Bump @types/mkdirp from 0.5.2 to 1.0.1 (davewasmer#42)
cd21b3d 
Bumps [@types/mkdirp](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/mkdirp) from 0.5.2 to 1.0.1.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/mkdirp)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Js-Brecht @zetlen