Closed Bug 1489045 Opened 3 years ago Closed 3 years ago

Wildcard certificate not working properly using enterprise roots


(Core :: Security: PSM, defect)

61 Branch
Not set





(Reporter: julien.richard, Unassigned)



(1 file)

3.25 KB, application/x-x509-ca-cert
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180807170231

Steps to reproduce:

In our organization we use self-signed certificates so we configured FF to use system root certificates (security.enterprise_roots.enabled=true). It works fine with all websites except on one where we use a wildcard certificate (not sure it's related though).

More precisely I'm trying to acces this address:
(this is an internal server you won't be able to access it from outside)

The certificate has * in its alternative names.

Actual results:

I get a SSL_ERROR_BAD_CERT_DOMAIN error with the following details (in French): utilise un certificat de sécurité invalide. Le certificat n’est valide que pour les noms suivants : msr-sc-gitfront02,, msr-sc-gitlb02,, gitlab-ncsa,, *.gitlabpages, *

Expected results:

 The website is considered secured which is the behavior I get from Chrome/Edge/Internet Explorer.
Component: Untriaged → Security: PSM
Product: Firefox → Core
OS: Unspecified → Windows
Summary: Wildcard certificate not working properly → Wildcard certificate not working properly using enterprise roots
Any chance you could attach a copy of the certificate that server is sending to this bug? (One way would be to click "SSL_ERROR_BAD_CERT_DOMAIN" and then "Copy text to clipboard" (or, rather, the equivalent French).
Flags: needinfo?(julien.richard)
Attached file certificate.crt
Does .crt format work for you?
Flags: needinfo?(julien.richard)
Thanks. I'm pretty sure the issue is with the "*.gitlabpages" entry. Since there's only 1 DNS label after the wildcard, it isn't considered valid. Name matching halts at this point and returns a bad input error that gets treated as a domain mismatch. (IIUC, part of the reason why we can't just skip the entry is because if there are name constraints in an intermediate/root, we don't know if entries we fail to process in the end-entity certificate might cause the name constraints to be violated.) Somewhat awkwardly, if that entry is actually listed last, it will work because we'll encounter the * entry first, which matches, so we stop processing.
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1196364
Thx, we'll update on our certificate, I'll let you know if it doesn't work.

That being said, I think you could improve the detailed messages so that in the future you don't get a new bug report on the subject :-). Chrome / Edge do not share the same behavior so it's even more disturbing.
You need to log in before you can comment on or make changes to this bug.