Saturday, September 3, 2016

SSL Certificate Warning with UCC Certificate and Multiple SANs



I am working with a client who wants to install SSL security for a couple pages on his site. He uses GoDaddy's shared hosting, and the current site we're working on is on a subdomain of the primary hosting account:




Example:



(Primary) www.coolsite.com
(New one) www.completelydifferent.com
www.someothersubdomain.com
www.anotherone.com


When he purchased the SSL certificate, he bought it for the primary domain (www.coolsite.com), even though the security is needed for the new domain (www.completelydifferent.com). This wasn't a huge issue, because I was able to add a Subject Alternative Name to the certificate to include the new domain. I checked both sites with an SSL checker, and they both seem to be working correctly.




However, I'm running into issues when I'm trying to use SSL. I have all references to the registration page being linked with an absolute URL (https://www.completelydifferent.com/register.php), but when I tested the link to verify the security, I got the following error:



This is probably not the site you are looking for!

You attempted to reach completelydifferent.com, but instead you actually reached a server
identifying itself as www.coolsite.com.

This may be caused by a misconfiguration on the server or by something more
serious. An attacker on your network could be trying to get you to visit a fake
(and potentially harmful) version of amazon.com. You should not proceed.



I'm not sure why I'm getting this error since I added the other Subject Alternative Name, so I don't know what to do to fix this. I do know, however, that users will likely be scared away from this scary looking red screen warning them of security leaks.



Is there a way to do it without requiring him to buy another SSL certificate?



EDIT: Here's a screenshot from the GoDaddy portal showing the SSL certificate. The two blurred URLs at the top are the primary domain, and the SAN at the bottom is the one where I want to use SSL.



enter image description here


Answer




When adding Subject Alternative names to a certificate, the same rules as the Common Name apply. The full domain name being used must exactly one of them.



In your case, you're using the domain www.completelydifferent.com but the single SAN is only given as completelydifferent.com. This isn't close enough and will cause the browser warning you've seen. What confuses the matter is that the browser awrnings (I think this is the same for all browsers) will show the CN of the certificate in the warning and not the SANs, so it gives the impression that the SAN isn't being read correctly.



Also useful: openssl is a command-line interface the the openssl library functions, and can be used to verify the certificate: openssl x509 -in -text will show you the full text of the certificate file. (Some certificates include this text in the file)


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...