3

We have a wildcard certificate that works for several cloudfront hosts we use at work here (all or mostly all tied to an S3 bucket) but when accessing using SSL, my browser yields an NET::ERR_CERT_COMMON_NAME_INVALID.

Heres the full message:

Your connection is not private

Attackers might be trying to steal your information from api.assets.portablenorthpole.com (for example, passwords, messages or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is api.assets.portablenorthpole.com; its security certificate is from *.portablenorthpole.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Strangely, the configuration is the same for "https://assets.portablenorthpole.com/" and that one works with the same SSL. Both use SNI and feature similar configuration but one fails to respond correctly.

Can you give me a hint what to search for?

Mathieu Dumoulin
  • 183
  • 2
  • 7

1 Answers1

5

The * in a wildcard cert is only properly allowed to match a single element at the far left side in the hostname.

If the wildcard character is the only character of the left-most label in the presented identifier, the client SHOULD NOT compare against anything but the left-most label of the reference identifier (e.g., *.example.com would match foo.example.com but not bar.foo.example.com or example.com).

https://www.rfc-editor.org/rfc/rfc6125#section-6.4.3

Community
  • 1
Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86