This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this article

Access Expedition GUI Using Google Chrome

lychiang
L6 Presenter

‎03-25-2020 10:06 AM - edited ‎05-15-2020 06:23 AM

No ratings

Access Expedition GUI Using Google Chrome with Certification Error

 

Symptoms

Can't access Expedition GUI using Google chrome, error message 'NET::ERR_CERT_COMMON_NAME_INVALID' displayed as below screenshot, and you are not able to proceed to the website. 

Please note: It's best practice to not proceed to the site failed on certificate error only when self-signed cert is used in Expedition and you confirmed it's safe to proceed to the site.

 

View of Chrome Error - NET::ERR_CERT_COMMON_NAME_INVALIDView of Chrome Error - NET::ERR_CERT_COMMON_NAME_INVALID

Diagnosis

For Google Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and website certificate. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private and will not provide you an option to proceed to the URL.

 

Please see the article for more details: https://support.google.com/chrome/a/answer/7391219?hl=en

 

Solution

Perform the below steps to re-install the self-signed certification with subjectAltName in Expedition:

  1. SSH to Expedition

  2. cd to /tmp

  3. Modify req.conf by issue below command:

    $ sudo vi req.conf

copy and past below section in req.conf, modify attributes in the file to match your organization

........................................................................................

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US ( Replace this with your county name)

ST = VA  ( Replace this with your state name)
L = SomeCity  ( Replace this with your city name)
O = MyCompany ( Replace this with your company name)
OU = MyDivision ( Replace this with your organization name)
CN = 192.168.44.131 ( Replace this IP with your Expedition IP )
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = 192.168.44.131 ( Replace this IP with your Expedition IP )
DNS.2 = company.com 
DNS.3 = company.net

........................................................................................

      saves the changes with ESC :wq!

 

  1. Issue below commands in order:

    $ sudo openssl genrsa -out server.key 3072 -config req.conf
    $ sudo openssl req -new -x509 -key server.key -sha256 -out certificate.pem -days 730 -config req.conf

    $ sudo cp server.key /etc/ssl/certs/
    $ sudo cp certificate.pem /etc/ssl/certs/

 

  1. Modify the default-ssl.conf by issue below command:

    $ sudo vi /etc/apache2/sites-enabled/default-ssl.conf 

    Find below two lines in the default-ssl.conf and replace the path 

    SSLCertificateFile   /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key 

     

    with 

     

    SSLCertificateFile   /etc/ssl/certs/certificate.pem
    SSLCertificateKeyFile /etc/ssl/certs/server.key

     

    saves the changes with ESC :wq

 

  1. Restart Apache by issue below command:

    $ sudo systemctl restart apache2

 

  1. Try access the Expedition GUI again

    Google chrome should now present you an option under "Advanced" to proceed to the URL. 
Rate this article:
(1)
Who rated this article
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks