Browser error : net::err_cert_common_name_invalid

Osiris · June 21, 2022, 9:22am

Interesting, I wouldn't have found it there.

OlammieAO · June 21, 2022, 9:22am

@Osiris, i think @webprofusion is a programmer as well and he used the programming skill to get that. There is a way we can get programming log from the browser which I purposely logged there to the browser console in my program code. The frontend do talk to the backend server which we call API, i was using the backend server IP address on which the backend code runs to communicate with the frontend and it is in that backend server code that the Letsencrypt certificate is used.

Thank you @Osiris, @webprofusion an everyone. I will try use the server DNS name and see what I get but i still can't understand why the browser sees the domain as invalid even when no server call is made.

OlammieAO · June 21, 2022, 3:26pm

@Osiris @webprofusion I have changed the API to the DNS of the server where the backend server API runs and CORS error still persist. See screenshot for your reference

Please dont be deceived by the lock sign at the browser url, it appeared because I had accepted to proceed anyway when the browser warned but the SSL Certificate remain invalid thus making the call to the API invalid even after changing the API call to DNS at the frontend.

I am wondering why would the certificate be seen as invalid by browsers even when it is not expired yet?

MikeMcQ · June 21, 2022, 3:40pm

Your request to:

https://ec2-52-87-25-92.compute-1.amazonaws.com:8184/v1/greetme

returns a cert with the domain name aiimmaglobal.com which does not match the domain name in the request (ec2-52 ...)

The message in red relates to CORS rules which is not related to certs.

echo | openssl s_client -connect ec2-52-87-25-92.compute-1.amazonaws.com:8184
Certificate chain
 0 s:CN = aiimmaglobal.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

OlammieAO · June 21, 2022, 4:25pm

@MikeMcQ Chrome browser tells you why the error occurs and it makes it specific what exactly it is. The SSL without calling any API shows not secure even as it is "https" before attempting to login and besides the DNS

ec2-52-87-25-92.compute-1.amazonaws.com

with the port 8184 is running with the domain aiimmaglobal.com generated certificate key file and cert file.

The error displayed at the inspect toolbar of the browser specifically said it is an error of INVALID NAME from the certificate if you can see from the screenshot of this thread.

MikeMcQ · June 21, 2022, 5:01pm

Thanks for showing the actual problem. I can't reproduce that error with chrome. Maybe the version matters?

In any case, your error message shows the domain name you requested is ec2-52-87-25-92.computer-1.amazonaws.com. But, the cert returned is for that request only has your domain aiimmaglobal.com and the www name. The cert does not contain the ec2 domain name you requested so is invalid.

What happens when you click on the "Not secure" icon in the address bar. It should give more info and also option to see cert. Show what those say

webprofusion · June 22, 2022, 1:10am

AS @MikeMcQ says your API call is using your server DNS name, but it should be using your actual real domain name that you have on your certificate. The https request must return a certificate with a name that matches the domain used to make the request, so for example you still need to use https://aiimmaglobal.com:8184/api/v1/greetme instead of https://ec2-52-87-25-92.compute-1.amazonaws.com:8184/api/v1/greetme for the call to work. Otherwise the certificate does not match the requested domain.

Note also that chrome will remember you have accepted the invalid cert, so to try it without that open a new Incognito tab.

rg305 · June 22, 2022, 3:10am

OR
include the FQDN:

in the cert along with your domain name.
[somewhat unconventional (and usually not recommended) - but it should also make things work]

OlammieAO · June 23, 2022, 8:00am

I thank everyone, everyone(@rg305 @webprofusion ) and everyone that assisted me in one way or the other in my project challenge and I feel glad and I appreciate your assistance so far. Your prompt response and zeal that drive your passion to help wowed me. I did as you guys have suggested/instructed here by calling my domain from the frontend instead of calling the server IP address or the server DNS. You guys are life safers for me because this is an error i have battling for weeks and i took it to different developers communities but people would just read and ignore because everything seemed right to them in the code and the server setup as I presented but when you guys said the browsers are looking main domain in the frontend calling the backend server APIs but not the server IP or server DNS, i knew I was talking to the right people.

I did as you guys advised and it worked.

Thank you so much

Thank you once again everyone. I appreciate you guys so much

system · July 23, 2022, 8:01am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.