Secure Connection Failed

Secure Connection Failed
Hostname uses an invalid security certificate.
The certificate is only valid for *
(Error code: ssl_error_bad_cert_domain)

Firefox 3 produces this error a lot for me. Mostly because I’m using local ssl sites by their hostname rather than their fqdn and the cert only has the fqdn in it. The solution is going to be setting up the hostname in apache as a separate site (servername) rather than a serveralias, and having a rewrite rule to send it to the full site. Of course I’ll need a bunch of code to autogenerate certificates I think, and sign them, which sounds like a terrible bore.

In the interim, the FF3 error is really tough, it’s a few clicks to get through it rather than formerly just being able to acknowledge as much and continue on. Setting ‘browser.xul.error_pages.expert_bad_cert‘ in ‘about:config’ to true helps a lot, as you don’t get the popup anymore and you just have to click ‘Add exception’ then ‘confirm security exception’.

2 thoughts on “Secure Connection Failed

  1. btm Post author

    @2fixus: I had a hard time approving that comment, it’s pretty much spam. Especially since I explain in my post that the problem is a hostname mismatch due to connecting to the to “sites by their hostname rather than their fqdn and the cert only has the fqdn in it.”

    In case someone ends up here and doesn’t understand this, SSL certificates have a hostname hard coded into them so that if you connect to a host other than the one the certificate is for, the browser will warn you. This is good, so can’t present a certificate pretending to be or such.

    It’s more complicated than this, these days there’s some support for certificates with alternative names, mostly used commercially for Microsoft’s 2007 product line like Exchange and OCS (Communicator).

    And to give you the benefit of the doubt that you missed where I say that I sign my certificates: I sign my own certificates with a locally trusted certificate authority root. It’s only a problem when you run into the hostname/domain mismatch. So I don’t need to spend a bunch of money to buy someone else’s certificate signature since these are internal sites.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.