Missing non-www domain in SAN error on Chrome but not on Firefox, IE

This is not exactly a help request since I figured out the solution, I just don't understand the problem.

So I issued a cert for my page using certbot on www domain, I use nginx and make a 301 redirect from non-www to www like this

server {
    server_name h4o.dev;

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot

    return 301 $scheme://www.h4o.dev$request_uri;
}

It works on Firefox, Edge, Safari on both www and non-www domain. However Chrome reports CERT_COMMON_NAME_INVALID if I try to access the non-www domain, I understand this as the certificate is only valid for www domain, I fixed it by adding the non-www domain to the cert.

It seems kinda logic to me that this prevent the web server from just redirecting the client anywhere. But why only Chrome has this behaviour ? Does this mean other browsers have security issue ?

Welcome to the Let's Encrypt Community Form @haoadoreorange

From here CSR Decoder and Certificate Decoder I see your cert
is for:
Subject CN=www.h4o.dev
SANs h4o.dev, www.h4o.dev

image1152×510 7.91 KB

So your certificate is only for h4o.dev and www.h4o.dev
When I try bbb.h4o.dev on Chrome and Firefox both fail as they should.

Did you remove any lines from that server block?
If not, then it has no cert.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.