Score:2

Server

Generate self-signed certificate for Firefox to accept

Axel Persinger

11/13/23, 1:42 PM

I'm setting up an internal testing network, and I want FireFox to accept my self-signed certificates. Specifically, I'm trying to configure a certificate for nginx so I can use MyTestNetwork.dev and *.MyTestNetwork.dev.

Here is how I'm generating my certificates:

rm rootCA.* MyTestNetwork.dev.*

# Generate rootCA
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -subj="/C=US/ST=CA/O=MyTestNetwork/CN=MyTestNetwork.dev" -addext 'subjectAltName=DNS:MyTestNetwork.dev,DNS:*.MyTestNetwork.dev' -nodes -key rootCA.key -sha256 -days 365 -out rootCA.crt

# Generate Server Certificates
openssl genrsa -out MyTestNetwork.dev.key 2048
openssl req -new -sha256 -key MyTestNetwork.dev.key -subj="/C=US/ST=CA/O=MyTestNetwork/CN=*.MyTestNetwork.dev" -addext 'subjectAltName=DNS:MyTestNetwork.dev,DNS:*.MyTestNetwork.dev' -out MyTestNetwork.dev.csr
openssl x509 -req -in MyTestNetwork.dev.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out MyTestNetwork.dev.crt -days 365 -sha256

And here is the SSL setup in nginx:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /etc/ssl/certs/MyTestNetwork.dev.crt;
    ssl_certificate_key /etc/ssl/certs/MyTestNetwork.dev.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    ssl_dhparam /etc/ssl/certs/dhparam;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    # add_header Strict-Transport-Security "max-age=63072000" always;
    add_header Strict-Transport-Security "max-age=0;";

    # replace with the IP address of your resolver
    resolver 127.0.0.1;

    location / {
        proxy_pass http://$host$request_uri;
    }

}

There are two specific issues I'm facing:

Even when importing the rootCA.crt into FireFox via the "Import Certificates" setting in about:preferences#privacy, I get an error:

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for dns.MyTestNetwork.dev.

Error code: SSL_ERROR_BAD_CERT_DOMAIN

Even though that I have the correct DNS record for that server (that domain hosts the dashboard for the DNS server I'm using).

I cannot curl MyTestNetwork.dev, as I get this error:

curl: (60) SSL: certificate subject name '*.MyTestNetwork.dev' does not match target host name 'MyTestNetwork.dev' More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

Even though I create the certificate with the multiple SANs.

Any help is appreciated!

887

1 + 5

openssl

ssl-certificate

nginx-reverse-proxy

djdomi

11/13/23, 6:24 PM

why dont you use LetsEnCrypt - its free of Charge?

jabbson

11/13/23, 6:25 PM

I don't believe that subjectAltName extension will propagate from csr to crt, could you run `openssl x509 -in MyTestNetwork.dev.crt -noout -text` and see if you have the alt names?

Axel Persinger

11/13/23, 6:26 PM

@djdomi I'm not interested in buying the domain for my test networks :)

Axel Persinger

11/13/23, 6:42 PM

@jabbson That's exactly what was happening! Thank you! I had to do some more googling in order to get the correct syntax.

dave_thompson_085

11/14/23, 1:16 AM

@jabbson+ historically `openssl x509 -req` did not copy extensions. Release 3.0.x last year, now moderately common but far from universal, has an _option_ `-copy_extensions {copy|copyall}` to do so.

Score:2

Server

Axel Persinger

11/13/23, 6:43 PM

The issue is that, as @jabbson pointed out, my subjectAltName was not propagating from the CSR to the certificate because of my syntax. The correct syntax is:

# Generate rootCA
openssl genrsa -out config/CA/rootCA.key 4096
openssl req -new -x509 -days 365 -key config/CA/rootCA.key -subj="/C=RH/ST=RT/O=MyTestNetwork/CN=MyTestNetwork CA" -out config/CA/rootCA.crt
# Generate server certificate
openssl req -newkey rsa:2048 -nodes -keyout config/CA/${DOMAIN}.key -subj="/C=RH/ST=RT/O=MyTestNetwork/CN=*.mytestnetwork.dev" -out config/CA/${DOMAIN}.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:mytestnetwork.dev,DNS:*.mytestnetwork.dev") -days 365 -in config/CA/${DOMAIN}.csr -CA config/CA/rootCA.crt -CAkey config/CA/rootCA.key -CAcreateserial -out config/CA/${DOMAIN}.crt

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Generate self-signed certificate for Firefox to accept

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.