Intro
I was confronted with a web site certificate error. A user was reluctant – correctly – to proceed to an internal web site because he saw a message to the effect:
I tried it myself with IE and got the same thing.
Switch to Chrome and I saw this error:
I wouldn’t bother to document this one except for a twist: the certificate error went away in IE when you clicked through to the login page.
Furthermore, when I examined the certificate with a tool I trust, openssl, it showed the date was not expired.
So what’s going on there?
The details
First thing I dug into was Chrome. I found this particular error can occur if you have an internal certificate issued with a valid common name, but without a Subject Alternative Name. My openssl examination confirmed this was indeed the case for this certificate.
So I decided the Chrome error was a red herring. And confirmed this after checking out other internal web sites which all suffered from this problem.
But that still leaves the IE error unexplained.
As I mentioned in a previous post, I created a shortcut bash function that combines several openssl functions I call examinecert:
examinecert () { echo|openssl s_client -servername "$@" -connect "$@":443|openssl x509 -text|more; } |
Use it like this:
$ examinecert drjohnstechtalk.com
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:17:21:b7:12:94:3a:fa:fd:a8:f3:f8:5e:2e:e4:52:35:71
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Apr 4 08:34:56 2018 GMT
Not After : Jul 3 08:34:56 2018 GMT
Subject: CN=drjohnstechtalk.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:50:98:6d:72:03:b2:e4:01:3f:44:01:3d:eb:
ff:fc:68:7d:51:a4:09:90:48:3c:be:43:88:d7:ba:
...
X509v3 extensions:
...
X509v3 Subject Alternative Name:
DNS:drjohnstechtalk.com
... |
I tried to show a friend the error. I could no longer get IE to show a certificate error. So my friend tried IE. He saw that initial error.
Most people give up at this point. But my position is the kind where problems no one else can resolve go to get resolution. And certificates is somewhat a specialty of mine. So I was not ready to throw in the towel.
I mistrust all browsers. They cache information, try to present you sanitized information. It’s all misleading.
So I ran examinecert again. This time I got a different result. It showed an expired certificate. So I ran it again. It showed a valid, non-expired certificate. And again. It kept switching back-and-forth!
Here it helps to know some peripheral information. The certificate resides on an old F5 BigIP load-balancer which I used to run. It has a known problem with updating certificate if you merely try to replace the certificate in the SSL client profile. It’s clear by looking at the dates the certificate had recently been renewed.
So I now had enough information to say the problem was on the load balancer and I could send the ticket over to the group that maintains it.
As for IE’s strange behavior? Also explainable for the most part. After an initial page with the expired certificate, if you click Continue to this web site it re-loads the page and gets the Good certificate so it no longer shows you the error! So when I clicked on the lock icon to examine the certificate, I always was getting the good version. In fact – and this is an example of the limitation of browsers like IE -you don’t have the option to examine the certificate about which it complained initially. Then IE caches this certificate I think so it persists sometimes even after closing and re-launching the browser.
Case closed.
Conclusion
An intermittent certificate error was explained and traced to a bad load balancer implementation of SSL profiles. The problem could only be understood by going the extra mile, being open-minded about possible causes and “using all my senses.” As I like to joke, that’s why I make the medium bucks!
Other conclusion? openssl is your friend.
References and related
My favorite openssl commands show how to use openssl x509 from any linux server.