0

When trying to login to my website (pvapp.umwelt-campus.de/user/loghin) on Chrome based browsers I get the error:

POST https://143.93.46.35:60702/user/login net::ERR_CERT_COMMON_NAME_INVALID

that's the IP and port of my backend.

On firefox it works fine, tho. I installed certificates by certbot. My corresponding nginx settings look like:

server {
        listen 80;
        server_name pvapp.umwelt-campus.de;
        return 302 https://$server_name$request_uri;
}

server{
        # SSL configuration
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
        add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';

        ssl_certificate     /etc/letsencrypt/live/pvapp.umwelt-campus.de/cert.pem;
        ssl_certificate_key /etc/letsencrypt/live/pvapp.umwelt-campus.de/privkey.pem;
        ...

I also added https at my backend (running at https://143.93.46.35:60702) like:

https.createServer({
    key: fs.readFileSync('/etc/letsencrypt/live/pvapp.umwelt-campus.de/privkey.pem', 'utf8'),
    cert: fs.readFileSync('/etc/letsencrypt/live/pvapp.umwelt-campus.de/cert.pem', 'utf8')
  }, app)
  .listen(nconf.get('port'), function() {
    console.log(`App listening on port ${nconf.get('port')}! Go to https://143.93.46.35:${nconf.get('port')}/`)
  });

Already tried to clear cache, clear windows ssl-cache restarted everything and renewed the certs. Hope anyone has an idea. :)

Do I maybe need an extra cert for the backend?

Using Ubuntu 16.04.7 xenial (I know it's outdated)

Ora nge
  • 111
  • 4
  • As I already told you in your [first question](https://serverfault.com/questions/1044115/err-cert-common-name-invalid-on-chrome), the certificates work fine in Chrome. It must be your local machine that has a problem. – Gerald Schneider Nov 30 '20 at 10:40
  • @GeraldSchneider I tested it on many different machines, it's no local problem. I just added new Information. That's why I asked again. – Ora nge Nov 30 '20 at 10:41
  • This would be much easier if you had just edited you original question instead of deleting and reposting it. You claimed that this only happens when you try to login. Fine. So you connect to a different hostname when you log in. That hostname must be contained in the certificate to work. – Gerald Schneider Nov 30 '20 at 10:41
  • @GeraldSchneider Okay, good to know. So how would I do this? Do I need to re-build the cert? And how to add multiple hostnames then? – Ora nge Nov 30 '20 at 10:43
  • That depends on the method you used to create your certificate. Read the documentation of your tool. You can also create a separate certificate for the other host. – Gerald Schneider Nov 30 '20 at 10:53
  • @GeraldSchneider All right - I did this with certbot. Gonna try to create a separate cert later for the backend and reply then. Thanks in advance. – Ora nge Nov 30 '20 at 10:56
  • @GeraldSchneider ALl right - I created a separate self-signed certificate and that did the trick! Also tried with zeroSSL but didn't get their verification method, tho. X) – Ora nge Nov 30 '20 at 12:36

2 Answers2

1

According to your comments in your now deleted previous question on this you have a different host that handles the login:

it's the login that's not working and giving the cert error. The frontpage is working fine.

You need either a certificate that contains both hostnames as SANs (Subject Alternate Name) or a different valid certificate for the second host.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
0

I think the issue here is that your backend generates login URL that points to backend directly, instead of pointing to the front-end domain.

Therefore you would need to fix your backend settings.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • With a self-signed certificate I get 'ERR_CERT_AUTHORITY_INVALID:'. That indicates that the links should be correct but the problem is the self-sign. Isn't it? It works if I set an exception for that cert. – Ora nge Dec 02 '20 at 08:44
  • Well, this actually depends on how you want to setup your site and what is your current configuration. Usually nginx is the frontend, which reverse proxies requests to backend server. Backend server is configured to generate URLs that point to the frontend nginx server. – Tero Kilkanen Dec 05 '20 at 18:21
  • @TeroKilkanen The node backend is active when the suitable url is called. There is no proxy in my nginx server. The URLs are the same as in the fronted router. – temp Dec 06 '20 at 19:07