Estou tentando criar um certificado SSL para um servidor que funcionará internamente sem dar avisos no Chrome. Eu o criei usando SAN com vários nomes alternativos de assunto de localhost e o endereço IP. Por algum motivo, funciona no localhost, mas dá um erro ao usar o endereço IP em ambos curl
e no Chrome.
$ curl https://192.168.1.50
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
$ curl https://localhost
<a href="https://localhost:9090/">Moved Permanently</a>.
Verificar na linha de comando mostra os dois nomes na seção SAN, então não sei por que isso não funciona:
$ openssl x509 -text -noout -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8d:93:a1:be:d1:03:8f:59
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=Los Angeles, O=Alt Systems, OU=Internal, CN=Elliott/emailAddress=xxxxxx
Validity
Not Before: Nov 5 21:32:19 2019 GMT
Not After : Mar 19 21:32:19 2021 GMT
Subject: C=US, ST=CA, L=Los Angeles, O=Alt Systems, OU=Internal/emailAddress=xxxxxx, CN=alt-pix-la
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:53:b6:0b:f0:94:c1:a8:26:93:79:5a:45:86:
36:ac:60:c2:40:a2:bf:25:69:90:9f:8b:b9:3f:63:
30:ae:48:cc:f9:f0:9d:d4:15:3d:1c:20:bc:29:6f:
57:8f:7d:e9:a5:db:2b:2c:ac:1a:6f:6d:b9:17:98:
0e:a0:17:1f:3e:28:4e:42:bd:af:2e:54:dd:ec:ff:
7b:00:a5:ed:59:97:8a:6f:95:04:c9:eb:3a:6c:ec:
9e:c9:7e:12:ee:ce:cc:be:b7:c1:d3:fe:f6:cf:1d:
0d:68:07:68:52:7a:30:5f:f1:29:36:64:b2:a5:e8:
5e:a7:f9:75:ab:4b:aa:4b:12:aa:44:59:a3:df:18:
45:81:52:b1:4d:00:a4:f2:eb:7e:0d:3e:05:f9:94:
1a:aa:e4:2e:9a:ee:0c:59:91:b9:63:f3:5d:98:3b:
32:4e:f7:1b:47:e5:a7:54:5c:ba:75:9b:88:09:07:
cc:93:06:c3:8a:76:78:83:98:69:1a:8b:e2:fd:cf:
70:51:35:09:ba:67:ca:c1:81:f4:65:72:0a:15:7a:
12:2d:bc:65:04:7f:b8:c3:22:2b:79:8d:9a:62:54:
d2:89:3f:4a:02:72:36:27:6c:ad:50:4d:96:e5:a1:
df:8b:fe:51:0b:67:1b:44:4e:57:fc:bb:d7:1d:77:
9f:c3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:BC:39:94:F0:DC:DF:5D:8E:12:E1:DA:5F:8F:7C:C8:02:B4:0E:19:19
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
DNS:localhost, DNS:192.168.1.50
Signature Algorithm: sha256WithRSAEncryption
54:8e:98:93:53:c2:af:fc:b7:03:5c:6d:d3:7d:9a:d9:2f:99:
ac:29:dc:0f:02:55:36:9e:70:57:68:df:27:5f:5e:a8:43:05:
ff:a4:7e:bd:15:99:ff:aa:67:35:93:90:35:e0:e7:20:b4:77:
7c:bf:6f:29:13:46:fc:56:81:58:60:67:14:ae:a1:1b:44:80:
92:81:7f:ed:5c:bc:75:36:a9:11:52:9b:28:e1:18:d6:a4:17:
35:13:6c:bd:be:64:db:70:a5:d4:7f:3e:16:26:73:f9:27:ed:
7b:03:44:b3:59:2d:53:8d:e2:77:f1:6d:8d:21:c0:d0:2c:96:
27:0c:c6:4e:6f:63:35:61:3e:b5:62:05:88:76:b5:99:ca:7d:
64:f9:6b:f4:9b:18:8e:3a:77:82:59:d2:13:c0:14:3c:0a:dc:
8d:82:38:ca:af:e9:43:06:83:ae:6e:4f:73:29:1d:0a:da:91:
ea:72:f4:26:f3:59:98:8d:ca:1a:ad:19:17:fd:bb:9f:62:bf:
85:e0:12:bd:9b:93:26:73:2b:9a:77:ff:c4:34:29:25:fc:c7:
13:8f:94:b3:28:d7:79:dc:54:57:6c:3d:01:f0:37:5c:a9:28:
23:13:89:7b:c5:63:51:eb:fc:ad:37:d1:31:cf:f4:2f:8c:9c:
5f:35:07:79
Você está usando o tipo de SAN errado – apenas nomes de domínio reais são permitidos em SANs do tipo "DNS"; para endereços IP existe o tipo "iPAddress" (
[7] OCTET STRING
).Para OpenSSL você pode usar:
Você precisa adicionar seu endereço IP ao SAN. Este código está funcionando para mim. Adicione seu endereço IP assim.