O Firefox tem uma nova política que os certificados emitidos após 2016-08-23 precisam ter um campo SubjectAltName.
Nosso administrador criou um novo certificado para o nosso servidor rt. Desde então, recebo um erro SSL_ERROR_BAD_CERT_DOMAIN
no Firefox. No entanto, o site funciona a partir do Chrome e curl.
O certificado é assinado por nossa CA interna (freeipa), para a qual instalei o certificado público em minha máquina. Outros sites assinados por nossa CA interna funcionam corretamente.
Aqui está a informação de depuração do Firefox:
https://rt.lsd.co.za/
Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
Certificate chain:
-----BEGIN CERTIFICATE-----
MIIDizCCAnOgAwIBAgICAK4wDQYJKoZIhvcNAQELBQAwNDESMBAGA1UEChMJTFNE
LkNPLlpBMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwMjAx
MDkxMDMxWhcNMTkwMjAyMDkxMDMxWjArMRIwEAYDVQQKEwlMU0QuQ08uWkExFTAT
BgNVBAMTDHJ0LmxzZC5jby56YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJdKUrTlEard+EeNNUC914CRMUWfQbDRq51KZo/8BRmLguKqkBoUuPqzHopy
v4/pN1i14uECfHuWu1Bw9aL20w1tmReFIBX6/oE9d0rFrt7+b3Fvri4PjGiuE6Ss
12Y8XAzlDSmUuIrRAdOn3Q6sZXKazxmBXnuR1uB0CGYxvArDrW544WNTPu0tFkkz
ZAnCQ++nnnTTgWqEVT/uOGucPrr3YBIPtcg5THJmO5PxQhBEwY/e55xFSNzGmuGI
7AOShUheJne0INW9YatFa9hTFhd+VWcpG/cogi5YS86LBQ1gulCn2UanGKePjUxD
NnEZsM/BXTZBvP0HtgBe1tas610CAwEAAaOBrzCBrDAfBgNVHSMEGDAWgBQlfxhn
0LE+dcgfqJCcZj2dGhzYgzA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0
dHA6Ly9kb24ubHNkLmNvLnphOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUJIYdQNTs9kan
MIHZ9r3VbK1fGbgwDQYJKoZIhvcNAQELBQADggEBABlmrBze/eIeb89IhwmnaycF
zNoXVIbzpZOy8qEvzBWqz85KN2YTGYqxLVku3dUxmJZh+XD4BHMT24hVKs28fqFx
zZEno0tJjXkOWadhTlHzDe5YPs+yVbWXb0xe65gLghwuTLH+PSXfj7dwMM9CVSM2
Ik0Ijcw8XXxcwnTu8V+7gHS97LP8rsYa/FvqBJikTVKrTo4FPpULYAiXYNSZcddb
KvujWAZFDViCBwebbKRZBuU3jJV9vSK7ZfLelRFf0HcUGyWJYkF8lmRlg994X8jf
FvwLfuUzeiSeVlidZXlrSOZihojBcLqC2PwutlQUVFccA+9gpnqBc50hlaPzb+I=
-----END CERTIFICATE-----
A versão do Firefox é 51 em execução no Arch linux.
Aqui está a saída de openssl s_client
:
openssl s_client -connect rt.lsd.co.za:443 -servername rt.lsd.co.za
CONNECTED(00000003)
depth=1 O = LSD.CO.ZA, CN = Certificate Authority
verify return:1
depth=0 O = LSD.CO.ZA, CN = rt.lsd.co.za
verify return:1
---
Certificate chain
0 s:/O=LSD.CO.ZA/CN=rt.lsd.co.za
i:/O=LSD.CO.ZA/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDizCCAnOgAwIBAgICAK4wDQYJKoZIhvcNAQELBQAwNDESMBAGA1UEChMJTFNE
LkNPLlpBMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwMjAx
MDkxMDMxWhcNMTkwMjAyMDkxMDMxWjArMRIwEAYDVQQKEwlMU0QuQ08uWkExFTAT
BgNVBAMTDHJ0LmxzZC5jby56YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJdKUrTlEard+EeNNUC914CRMUWfQbDRq51KZo/8BRmLguKqkBoUuPqzHopy
v4/pN1i14uECfHuWu1Bw9aL20w1tmReFIBX6/oE9d0rFrt7+b3Fvri4PjGiuE6Ss
12Y8XAzlDSmUuIrRAdOn3Q6sZXKazxmBXnuR1uB0CGYxvArDrW544WNTPu0tFkkz
ZAnCQ++nnnTTgWqEVT/uOGucPrr3YBIPtcg5THJmO5PxQhBEwY/e55xFSNzGmuGI
7AOShUheJne0INW9YatFa9hTFhd+VWcpG/cogi5YS86LBQ1gulCn2UanGKePjUxD
NnEZsM/BXTZBvP0HtgBe1tas610CAwEAAaOBrzCBrDAfBgNVHSMEGDAWgBQlfxhn
0LE+dcgfqJCcZj2dGhzYgzA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0
dHA6Ly9kb24ubHNkLmNvLnphOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUJIYdQNTs9kan
MIHZ9r3VbK1fGbgwDQYJKoZIhvcNAQELBQADggEBABlmrBze/eIeb89IhwmnaycF
zNoXVIbzpZOy8qEvzBWqz85KN2YTGYqxLVku3dUxmJZh+XD4BHMT24hVKs28fqFx
zZEno0tJjXkOWadhTlHzDe5YPs+yVbWXb0xe65gLghwuTLH+PSXfj7dwMM9CVSM2
Ik0Ijcw8XXxcwnTu8V+7gHS97LP8rsYa/FvqBJikTVKrTo4FPpULYAiXYNSZcddb
KvujWAZFDViCBwebbKRZBuU3jJV9vSK7ZfLelRFf0HcUGyWJYkF8lmRlg994X8jf
FvwLfuUzeiSeVlidZXlrSOZihojBcLqC2PwutlQUVFccA+9gpnqBc50hlaPzb+I=
-----END CERTIFICATE-----
subject=/O=LSD.CO.ZA/CN=rt.lsd.co.za
issuer=/O=LSD.CO.ZA/CN=Certificate Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1622 bytes and written 454 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 04A8B44739CA7D3FE553734AF99193176A5A849784AE03DBD6C87ABA7FA5DACC
Session-ID-ctx:
Master-Key: 153EF67A35CE63E1BA4317424B1A2ABFD17C26CCE2E78A3ED215979B383A0ABCF4D5BC035ABFC1F6BF11780AC1836FAC
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 28 83 96 6e ba 76 6f d6-58 dd 27 78 29 92 94 3d (..n.vo.X.'x)..=
0010 - 39 be 32 04 02 9a 8c 56-3f f9 49 c2 87 14 31 a5 9.2....V?.I...1.
0020 - 74 ef ce 06 4c b8 99 fe-35 90 f1 07 29 0b 60 f7 t...L...5...).'.
0030 - 51 b0 2d 78 5d 6a 7c 84-ca 4d 51 d0 d2 ae 9b 2e Q.-x]j|..MQ.....
0040 - 8f f5 79 8a ab c3 3c bb-66 fc 51 5c a3 10 ca 1f ..y...<.f.Q\....
0050 - f2 1d c5 59 4e 98 e4 9e-89 27 15 d0 89 86 e8 23 ...YN....'.....#
0060 - 85 f5 78 f4 48 26 9f 96-f5 27 01 fc c2 e2 c5 c7 ..x.H&...'......
0070 - 76 bf 35 f1 25 23 b9 fe-c5 93 30 1c 26 94 fa 81 v.5.%#....0.&...
0080 - b8 5f d1 06 50 9e 98 85-54 08 7f e6 07 16 1c 20 ._..P...T......
0090 - 96 1c 23 6c fb 21 0f 3c-f6 62 97 e5 81 63 71 95 ..#l.!.<.b...cq.
00a0 - c9 15 49 72 c1 33 d5 db-96 de cc a2 65 4e d2 de ..Ir.3......eN..
00b0 - fb ce 73 25 3c 65 2d 7c-a8 60 68 93 fe e2 67 5c ..s%<e-|.'h...g\
00c0 - 78 59 72 43 4b ba e2 68-9f 69 1e 8a 11 40 25 2c xYrCK..h.i...@%,
Start Time: 1486113094
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Estou perdido para tentar descobrir o que está errado. Alguma dica?
Certificado público para nossa CA:
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKEwlMU0Qu
Q08uWkExHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMjEyMDYx
NDE1NTJaFw0yMDEyMDYxNDE1NTJaMDQxEjAQBgNVBAoTCUxTRC5DTy5aQTEeMBwG
A1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA3khFpt0gCbxomAx/MLRhdjWBjchbIqXDyPc8nLSNlHBJYhYy
HTdc6eyTf1j6jSY4jLwYH2brW7crZNgTwpW4SukjvF1tUK+ABwiAueZnMXIJR9fE
azigc4gQpMbfH9EXK514kmX1MkFncIAYbIOgBy2UGEFrkWVEFs64DP/0WiC2DxLV
mSiw+p8QX2qYVK57ROfJV98pf5B2nc8UvOaVLwU1LgYy7ydipH9q9ztU7CvHaNoO
Xow6zY0BlkNFH6b6sM9HwQzlPfIy7xDSefPD7t8MrzyFZ53Yy3M4ob+6JkxIz+iF
knidHAf/kBSSg6bM3F4e5DjLRFDiz3ens+TEiQIDAQABo4GhMIGeMB8GA1UdIwQY
MBaAFCV/GGfQsT51yB+okJxmPZ0aHNiDMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
AQH/BAQDAgHGMB0GA1UdDgQWBBQlfxhn0LE+dcgfqJCcZj2dGhzYgzA7BggrBgEF
BQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0dHA6Ly9kb24ubHNkLmNvLnphOjgwL2Nh
L29jc3AwDQYJKoZIhvcNAQELBQADggEBABgk6Zy8f7g1WD73g4DDjDTtDKtGlJcf
gsOhVgjmJks0riXCXsgsuxKFbH1Skro+v4DgrLSHQLgTxmZLywrfQvYYepxSU8V1
2O3WcbiNkN2txokv4LAiFUn5jdRAlKpUWw0413243mS2vblkXjKuPt4M6Yw1X7ZW
J/AYuZEDMtcfm5ZdxCkBSSFeAxOyGz14y+cNN+X7xPP0LugWaS9jz07Ao/BZkb4i
kgipkkS1v4gD75q5v18d2cwzpC9yF8p3797HfRWuaDqZ4v/Ym6XYa1N5UihmCt+x
5WBLufXj7gD+IY2cKaX4AKXQIqwH3PT9VxIjIhyV3Wuma4mUIvNYimw=
-----END CERTIFICATE-----
Com a ferramenta útil dos laboratórios Qualys SSL, não é difícil entender que existem MUITOS problemas com seu host e sua configuração. Relatório SSL: rt.lsd.co.za
Não apenas o certificado é fornecido para um domínio diferente (docker.lsd.co.za) como expirado.
o Serviço ainda oferece suporte a tecnologias quebradas, como SSL, RC4, sem Sigilo Direto.
Sugiro que dê uma boa olhada na sua pilha e atualize seus serviços.