ERR_SSL_SERVER_CERT_BAD_FORMAT in Chromium 6.3

2019-08-20 06:42发布

站内文章 / 前端开发
490 0 0

问题:

I am using my own CA and have created a certificate for the HTTPS server. I have installed the root CA certificate through this set of instructions and this set of instructions.

The openssl s_client verifies the SSL certificate when I connect to my website and give it the CApath to /etc/ssl/certs/

But Chromium complains with a ERR_SSL_SERVER_CERT_BAD_FORMAT when I try to connect.

I am currently lost as to how to see what specifically is causing Chromium to block my website. When I go into Chromium's settings and view the installed root CA certificates, my root CA is present.

I have a suspicion it could be a missing field in the X509v3 extension. The output of openssl x509 -text -in https-server.crt:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Pennsylvania, CN = expandingdev.l5.ca
        Validity
            Not Before: Dec  6 03:05:24 2017 GMT
            Not After : Dec  6 03:05:24 2019 GMT
        Subject: C = US, ST = Pennsylvania, CN = tseng.l5.ca
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b8:7a:00:cf:e9:55:8d:ec:48:cc:00:57:e3:b5:
                    30:c4:a3:95:75:c4:a7:12:c8:11:91:d6:51:c3:9f:
                    45:56:5b:f2:25:36:fb:32:e5:d3:76:44:90:ba:f9:
                    20:1b:65:09:0a:63:a2:d7:7a:14:7d:ba:a6:24:fa:
                    dc:82:51:3b:32:6c:f1:3a:fb:4d:e4:1c:65:74:95:
                    4e:a6:bf:cb:49:f8:95:31:3a:d4:7a:90:09:d5:7c:
                    8c:90:d3:5a:10:a0:23:aa:22:75:84:19:dc:a7:ba:
                    ec:c4:fa:94:fb:12:b3:d4:b1:bc:66:7e:e8:43:a0:
                    d2:f8:f2:6d:00:3c:ef:43:f6:8b:9d:6b:7b:43:84:
                    8a:fb:f6:97:c8:18:59:2d:b2:4b:3c:ff:03:f7:90:
                    2a:d6:32:44:3d:08:52:e9:1d:34:9a:67:6c:a4:62:
                    3a:d9:78:bf:10:b1:63:38:b1:8d:25:a4:11:c3:6a:
                    c6:19:c0:59:1b:ac:0b:41:60:48:f1:fc:6b:e7:9d:
                    c9:5b:b8:fb:cc:03:94:0c:b2:18:80:46:f2:df:c2:
                    c7:ce:49:85:00:9d:8a:73:95:af:5f:aa:5d:88:11:
                    46:9f:ff:6f:67:17:04:d1:d6:12:a3:f0:5a:56:34:
                    1f:ec:a7:d0:3f:a3:df:f4:22:04:db:4f:ec:0c:cf:
                    83:67
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:tseng.l5.ca, DNS:localhost
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                C9:D8:8B:23:17:C2:BA:3F:35:0A:69:7C:73:5B:B9:98:54:09:79:F7
    Signature Algorithm: sha256WithRSAEncryption
         00:b0:89:0a:f0:67:e3:3d:72:ec:5a:58:04:b2:a1:5d:d7:fb:
         69:1d:e7:30:2f:04:f1:48:3c:55:a8:e9:1f:a6:3f:c9:98:37:
         1b:72:94:52:04:47:51:a0:0e:5a:36:7e:16:c7:2f:d0:37:cb:
         0e:3d:3d:bc:8b:b0:31:46:91:92:d0:19:59:38:29:eb:c3:39:
         5f:93:aa:07:6a:3d:c2:37:b9:45:5d:33:06:91:7f:e5:c6:59:
         9d:69:3a:59:f5:73:c1:61:67:95:cc:33:5c:46:25:eb:27:fc:
         5c:f9:cd:ce:a7:08:05:03:cb:3c:5f:ad:1f:89:7f:be:38:fd:
         43:84:94:fe:0e:6e:47:52:aa:0b:bf:f0:d6:e3:34:c6:80:6c:
         7a:c7:33:25:a1:e0:b2:23:c5:85:b8:a4:e8:de:c2:2f:ca:3f:
         f5:5f:21:b3:f8:c0:f1:d9:9e:8f:c4:b5:a2:fa:33:8b:33:69:
         f6:bb:fb:7c:e1:06:e9:98:f5:2c:70:c7:ef:72:fd:2e:c4:c4:
         f4:6a:1d:5d:46:be:4c:ec:07:fd:79:20:56:51:b1:cf:87:76:
         bf:54:27:82:95:a2:2e:33:0d:6d:78:0f:7a:d3:bd:70:06:35:
         b8:ac:d2:d1:79:78:64:80:b1:77:75:5a:6e:b2:ae:1d:c2:72:
         7f:99:3f:63
-----BEGIN CERTIFICATE-----
MIIDQDCCAigCAQEwDQYJKoZIhvcNAQELBQAwQTELMAkGA1UEBhMCVVMxFTATBgNV
BAgMDFBlbm5zeWx2YW5pYTEbMBkGA1UEAwwSZXhwYW5kaW5nZGV2Lmw1LmNhMB4X
DTE3MTIwNjAzMDUyNFoXDTE5MTIwNjAzMDUyNFowOjELMAkGA1UEBhMCVVMxFTAT
BgNVBAgMDFBlbm5zeWx2YW5pYTEUMBIGA1UEAwwLdHNlbmcubDUuY2EwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4egDP6VWN7EjMAFfjtTDEo5V1xKcS
yBGR1lHDn0VWW/IlNvsy5dN2RJC6+SAbZQkKY6LXehR9uqYk+tyCUTsybPE6+03k
HGV0lU6mv8tJ+JUxOtR6kAnVfIyQ01oQoCOqInWEGdynuuzE+pT7ErPUsbxmfuhD
oNL48m0APO9D9ouda3tDhIr79pfIGFktsks8/wP3kCrWMkQ9CFLpHTSaZ2ykYjrZ
eL8QsWM4sY0lpBHDasYZwFkbrAtBYEjx/GvnnclbuPvMA5QMshiARvLfwsfOSYUA
nYpzla9fql2IEUaf/29nFwTR1hKj8FpWNB/sp9A/o9/0IgTbT+wMz4NnAgMBAAGj
TzBNMCEGA1UdEQQaMBiCC3RzZW5nLmw1LmNhgglsb2NhbGhvc3QwCQYDVR0TBAIw
ADAdBgNVHQ4EFgQUydiLIxfCuj81Cml8c1u5mFQJefcwDQYJKoZIhvcNAQELBQAD
ggEBAACwiQrwZ+M9cuxaWASyoV3X+2kd5zAvBPFIPFWo6R+mP8mYNxtylFIER1Gg
Dlo2fhbHL9A3yw49PbyLsDFGkZLQGVk4KevDOV+TqgdqPcI3uUVdMwaRf+XGWZ1p
Oln1c8FhZ5XMM1xGJesn/Fz5zc6nCAUDyzxfrR+Jf744/UOElP4ObkdSqgu/8Nbj
NMaAbHrHMyWh4LIjxYW4pOjewi/KP/VfIbP4wPHZno/EtaL6M4szafa7+3zhBumY
9Sxwx+9y/S7ExPRqHV1GvkzsB/15IFZRsc+Hdr9UJ4KVoi4zDW14D3rTvXAGNbis
0tF5eGSAsXd1Wm6yrh3Ccn+ZP2M=
-----END CERTIFICATE-----

I am running Chromium Version 63.0.3239.84 (Developer Build) built on Debian 9.3, running on Debian 9.3 (64-bit). I am also getting this error on my Android 6.0 phone when browsing via Google Chrome.

Why is Chromium complaining and not letting me proceed to my website?

The website: https://tseng.l5.ca
The CA certificate: http://tseng.l5.ca/CA.crt

回答1:

    Version: 1 (0x0)
    ...
    X509v3 extensions:
        X509v3 Subject Alternative Name:

I have no idea how you created this certificates. But essentially you've created a X509.1 certificate with X509v3 extension. But, these extensions are only valid for X509.3 and not X509.1 certificates. That's why Chrome correctly complains about an invalid certificate.



标签: ssl https chromium
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~