Missing non-www domain in SAN error on Chrome but not on Firefox, IE

This is not exactly a help request since I figured out the solution, I just don't understand the problem.

So I issued a cert for my page using certbot on www domain, I use nginx and make a 301 redirect from non-www to www like this

server {
    server_name h4o.dev;

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot

    return 301 $scheme://www.h4o.dev$request_uri;
}

It works on Firefox, Edge, Safari on both www and non-www domain. However Chrome reports CERT_COMMON_NAME_INVALID if I try to access the non-www domain, I understand this as the certificate is only valid for www domain, I fixed it by adding the non-www domain to the cert.

It seems kinda logic to me that this prevent the web server from just redirecting the client anywhere. But why only Chrome has this behaviour ? Does this mean other browsers have security issue ?

Welcome to the Let's Encrypt Community Form @haoadoreorange

From here CSR Decoder and Certificate Decoder I see your cert
is for:
Subject CN=www.h4o.dev
SANs h4o.dev, www.h4o.dev

So your certificate is only for h4o.dev and www.h4o.dev
When I try bbb.h4o.dev on Chrome and Firefox both fail as they should.

Did you remove any lines from that server block?
If not, then it has no cert.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.