Closed Bug 1489045 Opened 3 years ago Closed 3 years ago
Wildcard certificate not working properly using enterprise roots
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180807170231 Steps to reproduce: In our organization we use self-signed certificates so we configured FF to use system root certificates (security.enterprise_roots.enabled=true). It works fine with all websites except on one where we use a wildcard certificate (not sure it's related though). More precisely I'm trying to acces this address: https://teabox.gitlabpages.ubisoft.org/WebSite/ (this is an internal server you won't be able to access it from outside) The certificate has *.gitlabpages.ubisoft.org in its alternative names. Actual results: I get a SSL_ERROR_BAD_CERT_DOMAIN error with the following details (in French): teabox.gitlabpages.ubisoft.org utilise un certificat de sécurité invalide. Le certificat n’est valide que pour les noms suivants : msr-sc-gitfront02, msr-sc-gitfront02.ubisoft.org, msr-sc-gitlb02, msr-sc-gitlb02.ubisoft.org, gitlab-ncsa, gitlab-ncsa.ubisoft.org, *.gitlabpages, *.gitlabpages.ubisoft.org Expected results: The website is considered secured which is the behavior I get from Chrome/Edge/Internet Explorer.
Component: Untriaged → Security: PSM
Product: Firefox → Core
OS: Unspecified → Windows
Summary: Wildcard certificate not working properly → Wildcard certificate not working properly using enterprise roots
Any chance you could attach a copy of the certificate that server is sending to this bug? (One way would be to click "SSL_ERROR_BAD_CERT_DOMAIN" and then "Copy text to clipboard" (or, rather, the equivalent French).
Does .crt format work for you?
Thanks. I'm pretty sure the issue is with the "*.gitlabpages" entry. Since there's only 1 DNS label after the wildcard, it isn't considered valid. Name matching halts at this point and returns a bad input error that gets treated as a domain mismatch. (IIUC, part of the reason why we can't just skip the entry is because if there are name constraints in an intermediate/root, we don't know if entries we fail to process in the end-entity certificate might cause the name constraints to be violated.) Somewhat awkwardly, if that entry is actually listed last, it will work because we'll encounter the *.gitlabpages.ubisoft.org entry first, which matches, so we stop processing.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1196364
Thx, we'll update on our certificate, I'll let you know if it doesn't work. That being said, I think you could improve the detailed messages so that in the future you don't get a new bug report on the subject :-). Chrome / Edge do not share the same behavior so it's even more disturbing.
You need to log in before you can comment on or make changes to this bug.