The curious case of Subject Alternative Name and Firefox

Last week I was busy with an access connector migration from 19.x to 22.x I ran into a weird certificate error. This issue has nothing to do with the access connector migration but it is still worth a blog post.

In this process, we needed to create a new load balancer FQDN for the Kerberos part of the access connector migration.
A new certificate was created with included in the SAN part the 3 FQDN’s 1 load balancer FQDN and 2 FQDN for both new access connectors.
The customer also included the 3 IP addresses for the load balancer & connector FQDN’s in the SAN part. Don’t ask me why…

The certificate looked like something like this:

So,

DNS Name=wso.graafnet.nl = load balancer fqdn
DNS Name=wso1.graafnet.nl = access connector #1
DNS Name=wso2.graafnet.nl = access connector #2

After progressing in the access connector migration we came to the step to test everything.
We tested https://wso.graafnet.nl, and the certificate is fine and trusted within Firefox.
We tested https://wso1.graafnet.nl, and the certificate is fine and trusted within Firefox.
We tested https://wso2.graafnet.nl, the certificate is not fine and firefox gives an SSL_ERROR_BAD_CERT_DOMAIN. ok..?


But.. wso2.graafnet.nl is included in the SAN Name section of the certificate?
Even the error in firefox notes that the certificate is only valid for the following names. wso2.graafnet.nl included?
Alright, let’s test with Chrome, all URLs are fine and trusted.

Ok, so this has to be a firefox issue.

After some trial and error, it seems that Firefox stops processing the Subject Alternative Name after the IP Address which is included in the Subject Alternative name section in the certificate. When generating a new certificate without the IP included in the Subject Alternative Name everything worked fine. At the time of writing, I used firefox version: 105.0.2

Chrome just ignores it and it continues validating.

This took an hour of my life, so maybe this helps you!!

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen − twelve =