SAN: domain name mismatch (Android 2 / Windows XP)


#1

I am using SAN certificate to provide support for Android 2 and Windows XP. I was already using Comodo certificated and it was working nicely. I tried to switch to LE but now I am getting error about incorrect domain name (screenshot - https://db.tt/T8OseNpg)

Server config is the same (I used certonly and installed certificate manualy) and when I decode old (Comodo) and new (LE) certificated, I can’t see any difference (except for signature etc.).

Browser is getting correct certificate, but it is ignoring alternative domains.

Any ideas what am I doing wrong? Live example: https://www.jadi.cz (only without SNI - modern browser are getting different certificate)


#2

could you show a shot of you browser showing the correct cert, including the SAN?
because you say that the browser is getting the correct one…
I dont have such old stuff to test it myself.


#3



-----BEGIN CERTIFICATE----- MIILGDCCCgCgAwIBAgISAT/JwOJ//i6ZPb6pgTkhMS/3MA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTExMTcyMzI4MDBaFw0x NjAyMTUyMzI4MDBaMBwxGjAYBgNVBAMTEXd3dy4yNC1sZWthcm5hLmN6MIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvsijGr+dWEIgVY8EzgaKBR9nI/Ve WJGU7ORlFH2/3KcqVd/NKfAR7A6UiQPrZyOiWGoxRP7DwpoNXBLbdG3NeGX4MeMC KBuIKz9eS6WzEwqz2Dw6tioI3KxwgSV5zxp0+pArsYrubfqI9Y4UUUiv5cyTgEHc 9EMrdUA0LOzHLgjtCFP5pBmNB2QYiU3x04ZZGHyVNnZLaQPF+5zkyw/9nd0KVgdA SENIIThnUH7YL9f6PLkSaUQCY9yMWRmzEh1vOy5dUhfqX1n6F8tgZLTYuGBBr+g5 Lk4I26zqfM/oIo2z36P64+h5TShuXZleDzd8uGiutPxnKy6xO66l8ldcnQIDAQAB o4IIJDCCCCAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSDIMOdrk4bINhmn2JcuoDQ 2iMjgjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBwBggrBgEFBQcB AQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmludC14MS5sZXRzZW5jcnlw dC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDEubGV0c2VuY3J5 cHQub3JnLzCCBikGA1UdEQSCBiAwggYcghh3d3cuZWxlY3RyaWMtY29sbGFycy5j b22CGXd3dy5vYnJvemEtZWxla3RyeWN6bmEucGyCDG0uYnV0bGVycy5odYITd3d3 LmtsaWt5LWtvdmFuaS5jeoILd3d3LmphZGkuY3qCD3d3dy5rYXNteXJhcy5sdIIL d3d3LmdsYW0uY3qCD3d3dy5tYWhvZ2FueS5zZYINd3d3Lmthc21pci5ocoIcd3d3 LnNrb2xuaS1ha3Rvdmt5LWJhdG9oeS5jeoIPd3d3Lm1haG9nYW55LnJvghB3d3cu dmFzYS1tb2RhLnNrghF3d3cubW9uZGl0cmFkZS5jeoIPd3d3LmZvdG9mYXN0LmN6 ghd3d3cuZGlnaW1heC1rcm9tZXJpei5jeoINd3d3Lm1hbHZpay5za4IVd3d3LmJ1 dGxlcnMtb25saW5lLnNrgg53d3cua2xlbm90YS5wbIIMd3d3LnBhZG5lLmN6gg53 d3cua2xlbm90YS51a4INd3d3Lmthc21pci5ncoIQbS5zZXhpY2Vrc2hvcC5jeoIP d3d3Lm1haG9nYW55LmJngg1lbi5rbGVub3RhLmN6gg93d3cuZnJvZ3BhY2suY3qC EXd3dy4yNC1sZWthcm5hLmN6ghF3d3cucGVrbnlkYXJlay5jeoINd3d3LmktbW9k YS5jeoIPd3d3Lm1haG9nYW55LnBsghF3d3cuc2lwZWtnbGFzcy5jeoIRd3d3Lm91 dGRvb3J3ZWIuY3qCFnd3dy5jYXNobWVyZWFyYWJpYS5jb22CEXd3dy5rcmFiY3lj bGVzLmN6gg13d3cua2FzbWlyLnNpgg53d3cuYnV0bGVycy5jeoINd3d3LmZlbGlw ZS5jeoIVd3d3LmdlbnRsZW1hbnN0b3JlLmN6ghB3d3cua3JtaXZhLTI0LmN6ggx3 d3cuYmV4aXMuc2uCF3d3dy5wZXJmZWt0bmUtcHJhZGxvLnNrgg53d3cudmlwaGFp ci5jeoIRd3d3LmthYmVsa2FybmEuY3qCFHd3dy5rYXNobWlybmV1bGUuY29tgg13 d3cubWFsdmlrLmN6ggt3d3cuamFkaS5za4IPd3d3Lm1vZGVseXJjLmN6ghR3d3cu dGlzc290aG9kaW5reS5za4IUd3d3LnVsdGltYXRlYmlrZXMuY3qCEHd3dy5jaHl0 YXB1c3QuY3qCFnd3dy5uYXJhZGktdGVjaG5pa2EuY3qCEHd3dy50aW1lc3RvcmUu Y3qCGHd3dy5uYWt1cG5pLWR1bS1wcmFoYS5jeoIUd3d3Lm5hcmFkaS1wcm9mZXMu Y3qCD3d3dy5qb2hucGF1bC5jeoIYd3d3LmVsZWt0cmlja2Utb2Jvamt5LnNrgg53 d3cua2xlbm90YS5jeoIOd3d3LmVhc3lidXkuY3qCFHd3dy51bHRpbWF0ZWJpa2Vz LnNrggltLmphZGkuY3qCDHd3dy5iZXhpcy5jeoISd3d3LnNleGljZWtzaG9wLmN6 ghZ3d3cucGVyZmVrdG5pcHJhZGxvLmN6ghB3d3cucGlua3N0b3JlLmN6ghJ3d3cu c2V4aWNla3Nob3Auc2uCEXd3dy5nc20tbWFya2V0LmN6ghB3d3cua2FzbWlyY2ku Y29tghV3d3cuZWxla3Ryby1vYm9qa3kuY3qCDnd3dy5rbGVub3RhLmRlgg93d3cu bWFob2dhbnkuaHWCDnd3dy5rbGVub3RhLnNrghN3d3cudG9wLWNva29sYWRhLmN6 ghJ3d3cuc2lwZWtnbGFzcy5jb22CC3d3dy5iaWNpLmN6ghFjbHViLnNwb3J0bWFk ZS5jeoIOd3d3LmZyb2dtYW4uY3qCFHd3dy5rYXNobWlyZ2Vuc2VyLm51gg93d3cu Y2F4ZW1pcmEucHSCFHd3dy5wbGF2a3ktcHJhZGxvLmN6ghp3d3cuc3BvZG5pLXBy YWRsby10aWFyYS5jeoIRd3d3Lmp1bmdsZS1neW0uY3qCDXd3dy56b3BpdG8uY3qC FHd3dy5rbGlreS1rb3ZhbmkubmV0gg53d3cuYnV0bGVycy5odYINd3d3Lmthc21p ci5zazCCAQAGA1UdIASB+DCB9TAKBgZngQwBAgEwADCB5gYLKwYBBAGC3xMBAQEw gdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggr BgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVk IHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ug d2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0 c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBNo0FK DLO8XxDtlDk5z/2sGSQAXF1jhdUzl0u0iFEev0kqlXm+fLRUNDXxF+CRf6k87arX xaQeAjxv+x4lq6/JTT6Ogb3wh/ebHi54MYD/n0TpbcGu8zoieF+14BCFmQ2un2Oi 7du82kgwguT/4XjCLTbU0Up5XfY0AcMnd7Lp/wMmJhvPZkaabjiX6zulZH7/RRb5 IejiBpHcMhfysxkNfEPEzHp2O6nm10ZQsHhSCdTZ38eHxTasdcxnhcb/udNVo2rH aLxRhlh5H+IWiHecUScBAq1R+uD/HvZyENm2z7nRoFiPkAdAo2GdGl0AIP5V1qy1 5ICmyza62iwrFu4h -----END CERTIFICATE-----


#4

hmm… now the question is: does IE8 on XP even recognize SAN?

winxp is quite some old stuff and similar to android 2 it’s going down, slowly, but for sure.
according to the android stuff there’s like 4% of android devices active with <4.0


#5

well WinXP pre-SP3 doesn’t support sha256 based SSL certificates nor does Android <2.3

so could be the old Comodo certificate was issued with sha1 ?

for winxp try using Firefox latest browser and double check


#6

well yeah even for winxp at least firefox should do sha256 certs and even SNI, because it doesnt rely on any system components for that matter…


#7

well can a server actually serve different certs based on the operating system/Browser of the user? at least I see with FF42 on w8.1 a sha256 cert


#8

Believe Cloudflare does that ? BoringSSL supports equal preference ssl cipher/ssl certs but not many web servers use BoringSSL as opposed to OpenSSL or LibreSSL.

Wikimedia foundation has patched Nginx for multple SSL certificate support see http://forum.nginx.org/read.php?29,261089. So hoping Nginx would merge such patches eventually :slight_smile:

We’ve forward-ported Filipe’s Apr 27 variant onto Debian’s 1.9.3-1
package. Most of the porting was trivial (offsets / whitespace /
etc). There were a couple of slightly more substantial issues around
the newer OCSP Stapling valid-timestamp checking, and the porting of
the general multi-cert work to the newer stream modules. The
ported/updated variant of the patches we’re running is available here
in our repo:

https://github.com/wikimedia/operations-software-nginx/blob/wmf-1.9.3-1/debian/patches/

Our configuration uses a pair of otherwise-identical RSA and ECDSA
keys and an external OCSP ssl_stapling_file (certs are from
GlobalSign, chain/OCSP info is identical in the pair). Our typical
relevant config fragment in the server section looks like this:


ssl_certificate /etc/ssl/localcerts/ecc-uni.wikimedia.org.chained.crt;
ssl_certificate_key /etc/ssl/private/ecc-uni.wikimedia.org.key;
ssl_certificate /etc/ssl/localcerts/uni.wikimedia.org.chained.crt;
ssl_certificate_key /etc/ssl/private/uni.wikimedia.org.key;
ssl_stapling on;
ssl_stapling_file /var/cache/ocsp/unified.ocsp;


#9

I am testing on Windows XP SP3 with IE8. It does support SHA256 and SAN.

I doubt that SHA is the problem here - error message would be different. It doesn’t have problem with signature but only with domain identification.

SAN (on Cloudflare)

SHA256 - Comodo without SAN but on same host (different IP) as my LE SAN certificate


#10

ssllabs reports for https://www.jadi.cz/ 2 ips on Amazon EC2, 1 ip covers non-www and www version but other ip only covers www version of domain without non-www coverage


#11

SSLLabs is always testing SNI certificate.


#12

Hi,souki
How did you build so many dns name.
I tried a lot of ways not possible.


#13

U just passed them all as argument to letsencrypt. But there is probably some problem with created CSR and I will try to generate CSR manually.


#14

Can you give an example, I tried many times will not work.
For example: example.com and example.org these two domain names, with CSR, in one cert.


#15

You can pass multiple domains to the client with -d domain1 -d domain2, etc.
Full example with webroot:

letsencrypt-auto certonly -a webroot --webroot-path /var/www/html -d example.com -d example.org

#16

I copied your certificate to My Computer (winxp sp3).
Then display something like this:

meaning is : "Name of the certificate is invalid, this name is not included in the Allow list or directly excluded. "
However, there is no problem in win7 system.


This may be the operating system does not support.


#17

Windows XP SP3 definitely supports SAN certificates (see screenshots above). But for some reason it has problem with SAN certificate from LE.


#18

I fully agree with this


#19

Feels like a problem with the interpretation of Name Constraints in Windows XP…
Just found a blog post about it… https://unmitigatedrisk.com/?p=201
So… I am not sure if we need to reissue a new Root Cert if we need to support XP…


#20

Windows XP is slowly dying but the problem also affects Android 2 which still has significant market share (bigger on markets like China or India)