I am trying to create an SSL certificate for a server which will work internally without giving warnings in Chrome. I've created it using SAN with multiple Subject Alt Names of localhost and the IP address. For some reason it works at localhost but it gives an error using the IP address in both curl and Chrome.
$ curl
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
$ curl
<a href="">Moved Permanently</a>.Checking it on the command-line shows both names under the SAN section, so I'm not sure why this doesn't work:
$ openssl x509 -text -noout -in server.crt
Certificate: Data: Version: 3 (0x2) Serial Number: 8d:93:a1:be:d1:03:8f:59 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=California, L=Los Angeles, O=Alt Systems, OU=Internal, CN=Elliott/emailAddress=xxxxxx Validity Not Before: Nov 5 21:32:19 2019 GMT Not After : Mar 19 21:32:19 2021 GMT Subject: C=US, ST=CA, L=Los Angeles, O=Alt Systems, OU=Internal/emailAddress=xxxxxx, CN=alt-pix-la Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b0:53:b6:0b:f0:94:c1:a8:26:93:79:5a:45:86: 36:ac:60:c2:40:a2:bf:25:69:90:9f:8b:b9:3f:63: 30:ae:48:cc:f9:f0:9d:d4:15:3d:1c:20:bc:29:6f: 57:8f:7d:e9:a5:db:2b:2c:ac:1a:6f:6d:b9:17:98: 0e:a0:17:1f:3e:28:4e:42:bd:af:2e:54:dd:ec:ff: 7b:00:a5:ed:59:97:8a:6f:95:04:c9:eb:3a:6c:ec: 9e:c9:7e:12:ee:ce:cc:be:b7:c1:d3:fe:f6:cf:1d: 0d:68:07:68:52:7a:30:5f:f1:29:36:64:b2:a5:e8: 5e:a7:f9:75:ab:4b:aa:4b:12:aa:44:59:a3:df:18: 45:81:52:b1:4d:00:a4:f2:eb:7e:0d:3e:05:f9:94: 1a:aa:e4:2e:9a:ee:0c:59:91:b9:63:f3:5d:98:3b: 32:4e:f7:1b:47:e5:a7:54:5c:ba:75:9b:88:09:07: cc:93:06:c3:8a:76:78:83:98:69:1a:8b:e2:fd:cf: 70:51:35:09:ba:67:ca:c1:81:f4:65:72:0a:15:7a: 12:2d:bc:65:04:7f:b8:c3:22:2b:79:8d:9a:62:54: d2:89:3f:4a:02:72:36:27:6c:ad:50:4d:96:e5:a1: df:8b:fe:51:0b:67:1b:44:4e:57:fc:bb:d7:1d:77: 9f:c3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:BC:39:94:F0:DC:DF:5D:8E:12:E1:DA:5F:8F:7C:C8:02:B4:0E:19:19 X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Subject Alternative Name: DNS:localhost, DNS:192.168.1.50 Signature Algorithm: sha256WithRSAEncryption 54:8e:98:93:53:c2:af:fc:b7:03:5c:6d:d3:7d:9a:d9:2f:99: ac:29:dc:0f:02:55:36:9e:70:57:68:df:27:5f:5e:a8:43:05: ff:a4:7e:bd:15:99:ff:aa:67:35:93:90:35:e0:e7:20:b4:77: 7c:bf:6f:29:13:46:fc:56:81:58:60:67:14:ae:a1:1b:44:80: 92:81:7f:ed:5c:bc:75:36:a9:11:52:9b:28:e1:18:d6:a4:17: 35:13:6c:bd:be:64:db:70:a5:d4:7f:3e:16:26:73:f9:27:ed: 7b:03:44:b3:59:2d:53:8d:e2:77:f1:6d:8d:21:c0:d0:2c:96: 27:0c:c6:4e:6f:63:35:61:3e:b5:62:05:88:76:b5:99:ca:7d: 64:f9:6b:f4:9b:18:8e:3a:77:82:59:d2:13:c0:14:3c:0a:dc: 8d:82:38:ca:af:e9:43:06:83:ae:6e:4f:73:29:1d:0a:da:91: ea:72:f4:26:f3:59:98:8d:ca:1a:ad:19:17:fd:bb:9f:62:bf: 85:e0:12:bd:9b:93:26:73:2b:9a:77:ff:c4:34:29:25:fc:c7: 13:8f:94:b3:28:d7:79:dc:54:57:6c:3d:01:f0:37:5c:a9:28: 23:13:89:7b:c5:63:51:eb:fc:ad:37:d1:31:cf:f4:2f:8c:9c: 5f:35:07:792 Answers
You're using the wrong SAN type – only actual domain names are allowed in "DNS" type SANs; for IP addresses there is the "iPAddress" type ([7] OCTET STRING).
For OpenSSL you can use:
subjectAltName=IP:192.168.1.50
subjectAltName=IP:2001:db8:1234::4567You have to add your IP Address to SAN. This code working for me. Add your IP Address like this.
[alternate_names]
IP.1 = 127.0.0.1
