HomeDocumentationAPI Reference
Log In
These docs are for v17. Click to read the latest docs for v33.

Resolving x509: Common Name certificate error

Suggest Edits

Symptom

You encounter an error x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Root cause

RFC 2818 describes two methods to match a domain name against a certificate - using the available
names within the subjectAlternativeName extension, or, in the absence of a SAN extension, falling back to the commonName.

The fallback to the commonName was deprecated in RFC 2818 (published in 2000), but support still remains in a number of TLS clients, often incorrectly.

https://www.chromestatus.com/feature/4981025180483584

PrivX 16 dropped support for certificates without SAN extension. Modern browsers have already done it some time ago.

Solutions

📘

Note

Update your legacy certificates as soon as possible! This workaround for supporting legacy x509 certificates is temporary and not guaranteed to be available in future releases.

In PrivX 16.x

  1. Enable legacy-x509-certificate support 
    # echo "GODEBUG=x509ignoreCN=0" >> /etc/environment
  2. Re-login or reboot the PrivX host
  3. Restart PrivX 
    # systemctl restart privx

In PrivX 17.0

  1. Enable legacy-x509-certificate support: 
    # echo "GODEBUG=x509ignoreCN=0" >> /opt/privx/scripts/local-env
  2. Restart PrivX 
    # systemctl restart privx

More information

https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/add-san-to-secure-ldap-certificate

Updated about 3 years ago