Resolving x509: Common Name certificate error

If you're getting an error x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0:

RFC 2818 describes two methods to match a domain name against a certificate - using the available
names within the subjectAlternativeName extension, or, in the absence of a SAN extension, falling back to the commonName.

The fallback to the commonName was deprecated in RFC 2818 (published in 2000), but support still remains in a number of TLS clients, often incorrectly.

PrivX 16 dropped support for certificates without SAN extension. Modern browsers have already done it some time ago. You should upgrade to certificates to use correct extensions, but if for some reason this is not possible, you can enable a workaround for this by running the following commands as root:

  1. Add the environment variable GODEBUG=x509ignorecn=0 to /etc/environment.

  2. Restart PrivX:

    systemctl restart privx

More information:

Did this page help you?