SSL error "Expected server name was not found in the chain."

Question

Trying to connect to secure MQTT broker. Got error :

Expected server name was not found in the chain.

What is actually wrong there? Does it means my CA self signed certificate has no information about host name?

CA certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            25:31:48:1f:d0:21:0c:99:89:e3:0b:db:3e:6a:34:95:ce:e8:fd:51
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, ST = California, L = Hawthorne, O = PhilNet, CN = 34.245.0.159
        Validity
            Not Before: Jan 26 20:52:34 2020 GMT
            Not After : Jan 25 20:52:34 2021 GMT
        Subject: C = US, ST = California, L = Hawthorne, O = PhilNet, CN = 34.245.0.159
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bf:0d:d2:2f:a6:90:40:2e:c5:89:eb:63:f1:ab:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Subject Key Identifier:
                89:18:C2:70:17:6B:FB:CE:5B:DF:D0:AA:66:23:E3:44:71:23:E4:DE
            X509v3 Authority Key Identifier:
                keyid:89:18:C2:70:17:6B:FB:CE:5B:DF:D0:AA:66:23:E3:44:71:23:E4:DE
                DirName:/C=US/ST=California/L=Hawthorne/O=PhilNet/CN=34.245.0.159
                serial:25:31:48:1F:D0:21:0C:99:89:E3:0B:DB:3E:6A:34:95:CE:E8:FD:51

            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign
            X509v3 Subject Alternative Name:
                IP Address:34.245.0.159, DNS:ec2-34-245-0-159.eu-west-1.compute.amazonaws.com, DNS:ip-172-31-45-21
    Signature Algorithm: sha1WithRSAEncryption
         4c:41:d3:bb:c7:db:a3:57:91:c2:ef:41:1a:10:a0:34:90:ff:
         ...

Server certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            25:31:48:1f:d0:21:0c:99:89:e3:0b:db:3e:6a:34:95:ce:e8:fd:52
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, ST = California, L = Hawthorne, O = PhilNet, CN = 34.245.0.159
        Validity
            Not Before: Jan 26 20:52:34 2020 GMT
            Not After : Jan 25 20:52:34 2021 GMT
        Subject: C = US, ST = California, L = Hawthorne, O = PhilNet, CN = 34.245.0.159
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:cd:64:50:6a:9a:7c:90:d8:a6:71:8b:ca:c4:30:
                    ...

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                A4:DF:EB:2B:6E:B8:07:62:D7:00:10:95:28:78:7D:FD:A3:D2:78:7E
            X509v3 Subject Alternative Name:
                IP Address:34.245.0.159, DNS:ec2-34-245-0-159.eu-west-1.compute.amazonaws.com, DNS:ip-172-31-45-21
    Signature Algorithm: sha1WithRSAEncryption
         0b:40:b4:65:7b:8a:21:70:3f:4c:4e:49:61:9b:09:75:d6:d3:

Client certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            25:31:48:1f:d0:21:0c:99:89:e3:0b:db:3e:6a:34:95:ce:e8:fd:53
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, ST = California, L = Hawthorne, O = PhilNet, CN = 34.245.0.159
        Validity
            Not Before: Jan 26 20:52:35 2020 GMT
            Not After : Jan 25 20:52:35 2021 GMT
        Subject: C = US, ST = California, L = Hawthorne, O = PhilNet, CN = 192.168.1.110
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a0:43:55:fa:97:a1:23:2b:58:d0:64:2b:e6:6b:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                1B:3F:DD:36:F4:5D:48:FD:6F:DF:58:6F:FE:BE:3A:C3:37:BD:93:77
            X509v3 Subject Alternative Name:
                IP Address:192.168.1.110
    Signature Algorithm: sha1WithRSAEncryption
         31:48:a6:1c:c8:39:57:91:8c:09:4e:7e:33:09:df:7a:a7:d9:

How to fix that?

Your server has the same subject and issuer as the CA which is a problem by itself. Also, SAN do not make any sense on the CA. Use of the broken SHA1 as signature algorithm is another problem. But as for the servers error message: you don't provide what the expected server name is so how can we why it cannot find it. We only see what is in the certificate but not what is expected. — Steffen Ullrich, Jan 26 '20 at 21:49
I generated self signed CA and Server certificates on the same machine where I run Mosquitto server. That is why they have same names. Is that problem? During connection I call server by providing IP 34.245.0.159. — vico, Jan 27 '20 at 07:47
The trust chain is typically created by trying to find the issue based on the issuer name in the certificate and it is assumed that same subject and issuer name means a self-signed certificate (it might or might not work if subject/issuer key identifiers are in use though). The subject of a certificate should also describe what it is for and having an IP address as subject of a CA makes no real sense since a CA is not the leaf certificate which authenticates a service on a specific IP. — Steffen Ullrich, Jan 27 '20 at 08:52

score 0 · Answer 1 · answered Dec 02 '20 at 16:16

I've fixed this issue by giving a domain/subdomain name of my mosquito server on CN (Common Name) when generating all certificates.

Common Name (CN) : your.mosquitto-server.com

Note: Subject and issuer of the client/server certificates shouldn't be same.

SSL error "Expected server name was not found in the chain."

1 Answers1