I am having trouble creating an SSL certificate for a website that is served by Apache. When I visit https://192.168.0.44 via FireFox, I get the error message:
Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for 192.168.0.44. The certificate is only valid for 192.168.0.44.
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Here are the steps to reproduce the issue.
Requirements:
- One computer with Ubuntu OS on the ip address
192.168.0.44. - One computer with Windows on any
192.168.0.*address.
Steps:
I go to the Ubuntu machine.
I run this command:
mkdir -p /etc/certs/test;
I create the file /etc/certs/test/entity.cnf with the following content:
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CA
ST = ON
L = Windsor
O = Ankle
OU = Hello
CN = 192.168.0.44
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = 192.168.0.44
I make a file called /etc/certs/test/make-certs.sh with the following content.
#!/bin/bash
ORG="ABTEST"
CN="abtest"
certdir="/etc/certs/test"
mkdir -p $certdir;
cd $certdir;
## Create certificate authority
openssl genrsa -out $certdir/ca.key 2048
openssl req -x509 -sha256 -nodes -key $certdir"/ca.key" -subj "/C=CA/ST=ON/O="$ORG"/CN="$CN -days 3650 -out $certdir"/ca.crt"
## Create entity certificate
# Private Key
openssl genrsa -out $certdir/entity.key 2048
# CSR
openssl req -new -sha256 -nodes -key $certdir"/entity.key" -config $certdir"/entity.cnf" -out $certdir"/entity.csr"
# Certificate
openssl x509 -req -in $certdir"/entity.csr" -CA $certdir"/ca.crt" -CAkey $certdir"/ca.key" -CAcreateserial -out $certdir"/entity.crt" -days 500 -sha256 -extensions v3_req -extfile $certdir"/entity.cnf"
I run the command:
./make-certs.sh
I install Apache2 with this command.
apt-get install -y apache2;
I create a /etc/apache2/sites-available/default-ssl.conf with this content:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/certs/test/entity.crt
SSLCertificateKeyFile /etc/certs/test/entity.key
SSLCACertificateFile /etc/certs/test/ca.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
I run these commands:
a2enmod ssl;
a2ensite default-ssl.conf;
systemctl restart apache2;
I run this command:
cat /etc/certs/test/ca.crt
I copy the output.
I go to the Windows computer.
I paste the clipboard content to a txt file called ca.crt.
I go to FireFox Settings and import ca.crt as a certificate authority.
I visit https://192.168.0.44 with FireFox.
I see the error message mentioned at the beginning of this question.
However, I will not get this error if I repeat the steps above but change just 3 things:
On my Ubuntu machine, I replace all instances of
192.168.0.44withhello.test.comin the/etc/certs/test/entity.cnfOn my Windows computer, I add the line
192.168.0.44 hello.test.comto the fileC:\Windows\System32\drivers\etc\hosts.On my Windows computer, I visit
https://hello.test.comwith FireFox web browser.
With these 3 changes, FireFox shows a green lock icon and says everything about my SSL certificate is perfect.
How do I fix my situation so that 192.168.0.44 can use a verifiable and trusted certificate?
Additional Note:
This is what FireFox says when I visit https://192.168.0.44 when the Apache uses a cert for 192.168.0.44
Your alt names is incorrect. It should be
By the way a certificate is never created for an ip adress and will never be trusted. You can create a certificate based on a domain name which links using dns to an ip.