Resolving x509: Common Name certificate error
Symptom
You encounter an error x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
Root cause
RFC 2818 describes two methods to match a domain name against a certificate - using the available
names within the subjectAlternativeName extension, or, in the absence of a SAN extension, falling back to the commonName.
The fallback to the commonName was deprecated in RFC 2818 (published in 2000), but support still remains in a number of TLS clients, often incorrectly.
https://www.chromestatus.com/feature/4981025180483584
PrivX 16 dropped support for certificates without SAN extension. Modern browsers have already done it some time ago.
Solutions
Note
Update your legacy certificates as soon as possible! This workaround for supporting legacy x509 certificates is temporary and not guaranteed to be available in future releases.
In PrivX 16.x
- Enable legacy-x509-certificate support
# echo "GODEBUG=x509ignoreCN=0" >> /etc/environment
- Re-login or reboot the PrivX host
- Restart PrivX
# systemctl restart privx
In PrivX 17.0
- Enable legacy-x509-certificate support:
# echo "GODEBUG=x509ignoreCN=0" >> /opt/privx/scripts/local-env
- Restart PrivX
# systemctl restart privx
More information
Updated about 3 years ago