Connection Not Secure After HTTPS SSL Certificate Installation (KBA9293)

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

KBA

KBA# 9293

Issue

Following installation of SSL certificate for HTTPS connectivity, the connection may still be indicated as "Not Secure" in Chrome or Firefox. The browser error may indicate "ERR_CERT_COMMON_NAME_INVALID"

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies

Major Release	All Sub Releases
6.0	6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0, 6.0.12.0, 6.0.12.1, 6.0.13.0, 6.0.13.1, 6.0.14.0
5.3	5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0
5.2	5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1
5.1	5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0
5.0	5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4

Troubleshooting

The Common Name (CN) configured in the certificate must match the address used in browser. If the SSL certificate CN=testserver.delphix.com, the browser address used to access the interface must also be https://testserver.delphix.com. Using https://testserver would be expected to fail in this instance.

Resolution

If the requirements mentioned in Troubleshooting section do not explain the behavior, the issue may be related to behavioral changes introduced in Firefox and Chrome. Although the Subject Alternative Name (SAN) is technically optional, modern browsers now include additional checks with SAN against the CN, and both must be populated.

There are multiple methods available to confirm this as the root cause.

1. The uploaded/active HTTPS certificate can be reviewed in System Setup.

This can be verified by reviewing the certificate details uploaded to the Engine under the KeyStore tab in Network Security, and then and clicking More Info. In the first example, no SAN exists; In the second example, we see Subject Alternative Names exists at the bottom of this panel:

2. The Engine certificate details can be reviewed in a browser

Methods may vary depending on the browser version, but generally a user can click the Not Secure text indicated in address bar to view details about the insecure connection:

From here, the details of the certificate can be interrogated. From the example above, clicking the Your connection is not secure field will lead to another dialog, with a Certificate icon indicated on the right-hand side:

Clicking this message leads to a new Browser pop-up window, where Details can be expanded to view the details of the SSL certificate received. In the example below, we find no Subject Alternative Name configured.

3. The CSR used for certificate signing can be reviewed

If the CSR has been saved, it can be reviewed via openssl. In the first example, Attributes indicates none, and likewise Requested Extensions is blank.

$ openssl req -in ./csrnosan.csr -text -noout
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, ST = Colorado, L = Arvada, O = Delphix, OU = Support, CN = sean6014.dcol2.delphix.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:c8:c6:2e:40:74:42:69:da:ea:d8:0b:51:fe:
                    67:9c:05:4e:40:02:75:da:c0:38:b9:52:dc:b9:6a:
                    10:04:27:f2:2e:f0:8c:62:69:87:4b:8a:49:91:13:
                    80:bb:25:9e:89:69:3e:6f:7e:36:32:8e:d2:db:d5:
                    4e:9c:da:1d:13:44:b5:5d:b2:48:27:9c:2b:a2:d4:
                    be:cc:a1:88:43:dd:c4:8b:8b:1e:0b:23:bf:c0:d5:
                    7b:1a:ce:a1:d6:68:bd:c0:de:7b:62:50:ee:6a:48:
                    3f:1f:43:64:77:3b:9c:4f:55:11:8a:af:09:43:1a:
                    78:63:2c:6d:88:e8:50:05:f6:d9:e6:17:7c:ae:b0:
                    fa:62:af:43:03:85:20:36:a1:2f:94:c1:3e:b1:d3:
                    68:f5:32:73:b6:64:b6:85:12:d2:8c:cb:0a:3c:99:
                    fd:1a:5a:ac:0e:34:32:67:ea:28:d8:fd:09:ad:12:
                    d5:02:62:00:f5:2f:67:09:26:52:83:d8:7c:44:23:
                    fc:9c:57:08:97:d9:4c:59:d9:f9:1a:7a:c5:e5:15:
                    25:21:34:16:3b:b8:71:fb:c6:fe:79:9d:f5:d8:37:
                    f3:9d:c8:c2:f5:48:35:9a:18:4b:fe:b1:72:93:73:
                    8b:31:bf:2f:c8:a9:2a:9d:6f:30:77:76:26:6a:fb:
                    a6:13
                Exponent: 65537 (0x10001)
        Attributes:
            (none)
            Requested Extensions:
...

In the second example, we see X509v3 Subject Alternative Name exists:

$ openssl req -in ./csrsan.csr -text -noout
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, ST = Colorado, L = Arvada, O = Delphix, OU = Support, CN = sean6014.dcol2.delphix.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b8:1c:74:de:89:d5:16:16:86:0a:da:df:d0:a8:
                    81:38:f2:cf:57:bb:9e:d5:69:81:2c:01:a2:0d:61:
                    27:47:8d:e7:1b:b3:34:f6:84:13:b9:50:ad:d1:29:
                    60:1a:02:2d:77:c5:98:c8:7a:19:b2:11:7c:58:f4:
                    8b:bb:74:a1:60:dc:2d:43:6d:96:fc:83:f2:34:74:
                    8d:ff:19:40:c9:62:8f:59:49:cb:02:bc:26:9d:76:
                    16:75:6e:0f:4d:e7:0e:fb:30:32:4f:f5:56:34:29:
                    fa:3f:d6:67:4a:b6:ac:46:a1:9a:90:13:d8:26:d7:
                    8b:ec:8b:46:9f:d2:76:9c:af:c0:92:8e:df:6e:7e:
                    56:16:d8:d0:7b:1c:58:77:26:9c:85:24:1c:28:91:
                    c0:32:28:18:8a:1c:41:9b:8b:cf:8f:48:c7:94:49:
                    5c:53:bb:88:82:cb:da:38:8f:61:a8:3b:5c:ed:12:
                    14:8e:78:db:dd:47:c3:df:db:30:f1:15:0c:2d:8b:
                    50:1d:4d:29:14:43:45:0c:80:33:36:a1:e7:33:44:
                    c1:d2:17:48:a6:6e:12:da:20:95:f7:60:17:fc:e5:
                    fa:ed:8b:a6:86:9b:0f:02:24:9d:cf:f3:ff:26:a9:
                    81:a4:db:7a:0b:e9:4b:75:65:a5:59:9c:08:d8:01:
                    38:87
                Exponent: 65537 (0x10001)
        Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name:
                    DNS:sean6014.dcol2.delphix.com
...

Once the absence of a SAN is confirmed, it is recommended to regenerate the certificate by either generating a new keystore, or a new CSR (depending on the original method used for replacement), with the SAN including the CN hostname (optionally including other parameters such as wildcard domain, hostname or FQDN, et cetera).

This detail is also indicated in our Documentation:

https://cd.delphix.com/docs/latest/delphix-provided-key-pair-configuration

Subject Alternative Names (SAN): Add IP addresses or hostnames to be associated with the certificate. Some browsers require that the HTTPS certificate includes the server's fully qualified domain name (FQDN) as a SAN.

References to this new requirement are provided in the Related Articles section below.

The following articles may provide more information or related information to this article: