Master domain certificate invalid in chrome

ssl
certificates

#1

Hello,

I have servers, 1 master, 1 backup, 4 slaves (samba4 ad)
After configure the gpo so all the clients trust the ucs self signed certificate, the windows computers when open each server univention portal in
internet explorer - all certificates are valid
edge - all certificates are valid
chrome - master server gives invalid certificate, all other servers are valid…

NET::ERR_CERT_COMMON_NAME_INVALID

image


#2

I’m able to sso in every server via chrome except the master i assume that is because the invalid certificate warning…

In internet explorer the sso is completely randon… or it works in some servers and don’t work in others, and then stop working in the same servers…


#3

Anyone can help with this boring question?


#4

Hey,

can you please post the output of the following command when run on your DC Master:

openssl s_client -connect ccmdc01.ccm.local:443 < /dev/null | openssl x509 -in - -noout -text | grep -A 2 Subject

Please repeat this with the name of one other server for which Chrome works fine. Post the corresponding output, too.

Thanks.

Kind regards
mosu


#5

@Moritz_Bunkus

Is this that you ask?


root@CCMDC01:~# openssl s_client -connect ccmdc01.ccm.local:443 < /dev/null | openssl x509 -in - -noout -text | grep -A 2 Subject
depth=1 C = PT, ST = PT, L = PT, O = PT, OU = Univention Corporate Server, CN = Univention Corporate Server Root CA (ID=QbAo4rsE), emailAddress = ssl@ccm.local
verify return:1
depth=0 C = PT, ST = PT, L = PT, O = PT, OU = Univention Corporate Server, CN = CCMDC01.ccm.local, emailAddress = ssl@ccm.local
verify return:1
DONE
       Subject: C = PT, ST = PT, L = PT, O = PT, OU = Univention Corporate Server, CN = CCMDC01.ccm.local, emailAddress = ssl@ccm.local
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
--
           X509v3 Subject Key Identifier:
               7E:6C:8F:84:D7:2A:98:76:3E:FB:2B:83:A9:35:50:8B:F2:0D:E3:51
           X509v3 Authority Key Identifier:
--
           X509v3 Subject Alternative Name:
               DNS:CCMDC01.ccm.local, DNS:CCMDC01
   Signature Algorithm: sha256WithRSAEncryption
root@CCMDC01:~# openssl s_client -connect ccmdcbck.ccm.local:443 < /dev/null | openssl x509 -in - -noout -text | grep -A 2 Subject
depth=1 C = PT, ST = PT, L = PT, O = PT, OU = Univention Corporate Server, CN = Univention Corporate Server Root CA (ID=QbAo4rsE), emailAddress = ssl@ccm.local
verify return:1
depth=0 C = PT, ST = PT, L = PT, O = PT, OU = Univention Corporate Server, CN = CCMDCBCK.ccm.local, emailAddress = ssl@ccm.local
verify return:1
DONE
       Subject: C = PT, ST = PT, L = PT, O = PT, OU = Univention Corporate Server, CN = CCMDCBCK.ccm.local, emailAddress = ssl@ccm.local
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
--
           X509v3 Subject Key Identifier:
               7B:4E:DC:CB:E7:C0:0D:9A:81:FC:AA:DD:A8:A1:2A:76:6E:A3:D4:62
           X509v3 Authority Key Identifier:
--
           X509v3 Subject Alternative Name:
               DNS:CCMDCBCK.ccm.local, DNS:CCMDCBCK, DNS:f087ff41-af05-4fc4-b846-b2ee7c77f9d8._msdcs, DNS:f087ff41-af05-4fc4-b846-b2ee7c77f9d8._msdcs.ccm.local
   Signature Algorithm: sha256WithRSAEncryption
root@CCMDC01:~#


#6

It is, thanks. And connecting to https://ccmdcbck.ccm.local works fine in Chrome?

To me it isn’t obvious why one would work while the other wouldn’t. At first I thought that maybe the uppercase host name in the certificate might be the reason, but the host name in the other server’s certificate is uppercase, too.

Strange.


#7

@Moritz_Bunkus yeah… to me is weird too… this is happen in the sequence of sso… i don’t know why but i cannot have sso working against the DC master… but it works with slave and backup server… i’m assuming that could be an related issue… but i can’t debug it :confused: