#5510 Self Signed Certs should have a valid subjectAltName

[kastoberlin]

According to RFC 2818 the use of CN in certificates is depreciated and the Subject Alt Name should be used instead. Currently self signed webmin certificates have no Subject Alternative Name.

Google is already enforcing this policy and even OpenSSL based certificate validation scripts such as check_ssl_cert are now rigorously rejecting all self signed certs created by webmin. It should not be too complicated to modify the Self Signed Certificate creation in Webmin to add a valid subjectAltName matching the CN name.

This was observed in Webmin 1.981 an Virtualmin 6.17 on Debian 10 and Debian 11.

[Ilia]

@jcameron Jamie, can you take care of this?

@kastoberlin As a workaround in order to login when using Chrome, type thisisunsafe to bypass certificate warning screen.

[Jamie Cameron]

Is the problem that certs have no subjectAltName , or that they are self-signed? Does Chrome accept a self-signed cert when it does have subjectAltName ?

[kastoberlin]

As an answer to your second question, Chrome shows the error
NET::ERR_CERT_COMMON_NAME_INVALID even if I import the Webmin
certificate into the Windows certificate store end even though the CN
correctly matches the hostname. You may check this yourself with
https://selfsigned.geotek.de/

------ Originalnachricht ------
Von: "Jamie Cameron" jcameron@users.sourceforge.net
An: "[webadmin:bugs]" 5510@bugs.webadmin.p.re.sourceforge.net
Gesendet: 06.10.2021 01:21:34
Betreff: [webadmin:bugs] #5510 Self Signed Certs should have a valid
subjectAltName

Is the problem that certs have no subjectAltName , or that they are
self-signed? Does Chrome accept a self-signed cert when it does have
subjectAltName ?

---

[bugs:#5510] https://sourceforge.net/p/webadmin/bugs/5510/ Self
Signed Certs should have a valid subjectAltName

Status: open
Group: 1.981
Created: Tue Oct 05, 2021 09:03 AM UTC by kastoberlin
Last Updated: Tue Oct 05, 2021 02:49 PM UTC
Owner: nobody

According to RFC 2818 the use of CN in certificates is depreciated and
the Subject Alt Name should be used instead. Currently self signed
webmin certificates have no Subject Alternative Name.

Google is already enforcing this policy and even OpenSSL based
certificate validation scripts such as check_ssl_cert are now
rigorously rejecting all self signed certs created by webmin. It should
not be too complicated to modify the Self Signed Certificate creation
in Webmin to add a valid subjectAltName matching the CN name.

This was observed in Webmin 1.981 an Virtualmin 6.17 on Debian 10 and
Debian 11.

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/webadmin/bugs/5510/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

[kastoberlin]

The problem is not that the certificate is self signed but that the self
signed certificates doesn't have a subjectAltName.

Background: We are automatically monitoring a number of hosts for
certificate validity. Hosts that are publicly available or are in a
location with a private PKI infrastructure have valid, externally issued
certificates, all others have a self signed Webmin certificate. On those
hosts the Cert validity check is always red because the subjectAltName
is missing and there is not yet a way to work around it because the cert
check used considers these certificates as bad. It is no problem to mark
self signed certificates as acceptable for selected hosts but there is
no way to make the self signed Webmin Certificates treated as
acceptable.

One might argue that a self signed certificate with valid CN but missing
subjectAltName should be treated as good because it is not (yet)
forbidden to have an empty subjectAltName, but the shift from CN to
subjectAltName even for single domain certificates is accepted industry
practice and RFC recommendation, I would appreciate it if Webmin would
follow this best practice.

------ Originalnachricht ------
Von: "Jamie Cameron" jcameron@users.sourceforge.net
An: "[webadmin:bugs]" 5510@bugs.webadmin.p.re.sourceforge.net
Gesendet: 06.10.2021 01:21:34
Betreff: [webadmin:bugs] #5510 Self Signed Certs should have a valid
subjectAltName

Is the problem that certs have no subjectAltName , or that they are
self-signed? Does Chrome accept a self-signed cert when it does have
subjectAltName ?

---

[bugs:#5510] https://sourceforge.net/p/webadmin/bugs/5510/ Self
Signed Certs should have a valid subjectAltName

Status: open
Group: 1.981
Created: Tue Oct 05, 2021 09:03 AM UTC by kastoberlin
Last Updated: Tue Oct 05, 2021 02:49 PM UTC
Owner: nobody

According to RFC 2818 the use of CN in certificates is depreciated and
the Subject Alt Name should be used instead. Currently self signed
webmin certificates have no Subject Alternative Name.

Google is already enforcing this policy and even OpenSSL based
certificate validation scripts such as check_ssl_cert are now
rigorously rejecting all self signed certs created by webmin. It should
not be too complicated to modify the Self Signed Certificate creation
in Webmin to add a valid subjectAltName matching the CN name.

This was observed in Webmin 1.981 an Virtualmin 6.17 on Debian 10 and
Debian 11.

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/webadmin/bugs/5510/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

[Jamie Cameron]

Ok, it makes sense to add subjectAltName to self-signed certs.

The only tricky part will be figuring out how to do that with the openssl command..

[Jamie Cameron]

Ok, I take a look at https://github.com/webmin/webmin/commit/cb0e5a1440e9a3fc1e9a60c11b0c7a90a4bc9ff4