Chrome Rejecting Webmin localhost Self-Signed Certificate (its security certificate is from [missing_subjectAltName])

1 post / 0 new
#1 Sun, 05/28/2017 - 09:06
nh905

Chrome Rejecting Webmin localhost Self-Signed Certificate (its security certificate is from [missing_subjectAltName])

I am running Virtualmin GPL 5.07 on an Amazon EC2 server running CentOS 6. Since I do a lot of work on the server via SSH, I decided to tunnel port 10000 through putty, allowing me to block all access to Virtualmin/Webmin from the Internet. Adding the self-signed 'localhost' to the certificate store got rid of all the Chrome error messages until recently, when Chrome started to complain about "This server could not prove that it is localhost; its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection."

It appears that Chrome 58 requires that hostnames in self-signed certificates are included in the SubjectAltName field (https://textslashplain.com/2017/03/10/chrome-deprecates-subject-cn-match...). I crossed my fingers that the latest update to Virtualmin/Webmin would include the SAN extension when generating new webmin certificates but unfortunately that does not appear to be the case.

I have tried various openssl scripts to manually regenerate miniserv.pem with SubjectAltName but so far none have been successful - webmin refuses to start due to "Failed to open SSL cert at /usr/libexec/webmin/miniserv.pl line 4405."

When I get a chance, I will try other openssl scripts that people have posted and will report on what I find.

Regards, Norbert