ERR_CERT_COMMON_NAME_INVALID on specific environments

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: evoo2.commerceowl.com

I ran this command: Node app using Greenlock-express (https://git.rootprojects.org/root/greenlock-express.js)

My web server is (include version): Node.js using Greenlock-express (https://git.rootprojects.org/root/greenlock-express.js)

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Using greenlock-express not certbot (https://git.rootprojects.org/root/greenlock-express.js)

In a very specific environment, I’m getting this error in Chrome: Net::ERR_CERT_COMMON_NAME_INVALID

The common name in the cert is: *.commerceowl.com

Any help would be appreciated.

It works for me. What environments is it failing in?

Can you maybe post a screenshot of Chrome’s certificate details dialog?

Yes, please press the “Advanced” button so we can see the detail of the error as below:

Screenshot_2019-07-25_09-16-48.png703×549 37 KB

You can also click on the NET::ERR_CERT_COMMON_NAME_INVALID text to show even more details.

I DID NOT KNOW THAT what the heck Thanks for the tip!

Wow, I also didn’t know that and that’s super-useful!

Hi @hgezim

there is an error. But that error doesn't produce this error message.

You have a DNS entry www.evoo2.commerceowl.com. This www-subdomain doesn't work with your certificate, because a *.commerceowl.com works only with three domain labels, not with four.

But connecting that subdomain doesn't work, there is a SendFailure - error, the webserver closes the connection. FireFox has PR_END_OF_FILE_ERROR, Chrome shows a ERR_CONNECTION_CLOSED.

That's an error (solution: Remove your www entry), but not the situation of your error. There are no other errors visible (mixed content).

What's that environment?

Clicking on the error, it shows that the certificate has been replaced by this thing:

Subject: *.logicnow.us

Issuer: RapidSSL TLS RSA CA G1

Appears to be some sort of a “security” tool. Anyone know about SolarWinds and why they’re doing this MITM silliness?

Well… At a guess, there’s web filtering software installed on the computer / network / DNS resolver, and your (sub)domain is being blocked.

Presumably, blocked websites are MITMed with some web page that provides more information.

You might try accessing the site over HTTP, or clicking through the security warning in private browsing mode – with the attendant risks, of course.

At best, your domain is accurately categorized but the network is configured to block broad categories of legitimate domains (like “e-commerce” or something). At worst, the domain is miscategorized as malicious.

By nature, TLS stops MITM attacks even when they’re “benign”. In something like a corporate environment where the IT department has full control of the computers, they can install a custom root CA or custom software so that the block page can load without a certificate error. Maybe this network doesn’t, or it’s misconfigured.

(Or perhaps it’s a different sort of MITM attack disguised as “legitimate” web filtering.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.