Access Expedition GUI Using Google Chrome

Printer Friendly Page

Access Expedition GUI Using Google Chrome with Certification Error

 

Symptoms

Can't access Expedition GUI using Google chrome, error message 'NET::ERR_CERT_COMMON_NAME_INVALID' displayed as below screenshot, and you are not able to proceed to the website. 

Please note: It's best practice to not proceed to the site failed on certificate error only when self-signed cert is used in Expedition and you confirmed it's safe to proceed to the site.

 

View of Chrome Error - NET::ERR_CERT_COMMON_NAME_INVALIDView of Chrome Error - NET::ERR_CERT_COMMON_NAME_INVALID

Diagnosis

For Google Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and website certificate. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private and will not provide you an option to proceed to the URL.

 

Please see the article for more details: https://support.google.com/chrome/a/answer/7391219?hl=en

 

Solution

Perform the below steps to re-install the self-signed certification with subjectAltName in Expedition:

  1. SSH to Expedition

  2. cd to /tmp

  3. Modify req.conf by issue below command:

    $ sudo vi req.conf

copy and past below section in req.conf, modify attributes in the file to match your organization

........................................................................................

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US ( Replace this with your county name)

ST = VA  ( Replace this with your state name)
L = SomeCity  ( Replace this with your city name)
O = MyCompany ( Replace this with your company name)
OU = MyDivision ( Replace this with your organization name)
CN = 192.168.44.131 ( Replace this IP with your Expedition IP )
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = 192.168.44.131 ( Replace this IP with your Expedition IP )
DNS.2 = company.com 
DNS.3 = company.net

........................................................................................

      saves the changes with ESC :wq!

 

  1. Issue below commands in order:

    $ sudo openssl genrsa -out server.key 3072 -config req.conf
    $ sudo openssl req -new -x509 -key server.key -sha256 -out certificate.pem -days 730 -config req.conf

    $ sudo cp server.key /etc/ssl/certs/
    $ sudo cp certificate.pem /etc/ssl/certs/

 

  1. Modify the default-ssl.conf by issue below command:

    $ sudo vi /etc/apache2/sites-enabled/default-ssl.conf 

    Find below two lines in the default-ssl.conf and replace the path 

    SSLCertificateFile   /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key 

     

    with 

     

    SSLCertificateFile   /etc/ssl/certs/certificate.pem
    SSLCertificateKeyFile /etc/ssl/certs/server.key

     

    saves the changes with ESC :wq

 

  1. Restart Apache by issue below command:

    $ sudo systemctl restart apache2

 

  1. Try access the Expedition GUI again

    Google chrome should now present you an option under "Advanced" to proceed to the URL. 
Tags (2)
Comments

I ran into this issue, but the above method did not work for me as I ran into errors from openssl on generating the certificate. It didn't like something in the request file. So I accomplished the above using the command below which takes you through a set of interactive prompts:

 

sudo openssl req -x509 -nodes -days 730 -newkey rsa:3072 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/certificate.pem

 

I then ran through the rest of the commands above to replace the default certificate with a self-signed certificate that was generated. And then I opened Google Chrome to go to the webpage for Expedition and alas, it DIDN'T work! I got the same error as before:


NET::ERR_CERT_INVALID website sent scrambled credentials Self-signed Certificate

 

And no option to proceed. Well, this was frustrating, especially after checking this on Firefox and seeing that it works. After googling this around, I came up on a solution that I hope would help others here. When you hit the webpage for Expedition using Google Chrome and come across this error without an option to proceed, just type:

 

badidea

 

or:

 

thisisunsafe

 

And voila! The webpage will come right up. Hope this helps!

Quick fix:

The proper key name for  "T = VA" is ST (state).

As-is, you'll get this error:
x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:x509name.c:295:name=T